The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Page 12
display object group ··········································································································································· 502 network (IPv4 address object group view) ······································································································· 504 network (IPv6 address object group view) ······································································································· 506 object-group ························································································································································· 508 port (port object group view) ····························································································································· 509 service (service object group view) ··················································································································· 511 ...
Page 13
Crypto engine commands ······································································································································ 544 crypto-engine accelerator disable ····················································································································· 544 display crypto-engine ·········································································································································· 544 display crypto-engine statistics ··························································································································· 546 reset crypto-engine statistics ······························································································································· 547 FIPS commands ······················································································································································· 549 display fips status ················································································································································ 549 fips mode enable ·················································································································································...
Page 14
··················································································································································· 657 udp-flood detect non-specific ······························································································································ 658 udp-flood threshold ·············································································································································· 658 Support and other resources ·································································································································· 660 Contacting HP ······························································································································································ 660 Subscription service ············································································································································ 660 Related information ······················································································································································ 660 Documents ···························································································································································· 660 ...
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
Examples # Set the maximum number of concurrent FTP users to 4. <Sysname> system-view [Sysname] aaa session-limit ftp 4 access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default.
Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The command line accounting function works with the accounting server to record all commands that have been successfully executed on the device.
Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 19
accounting lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting lan-access In FIPS mode: accounting lan-access { local | radius-scheme radius-scheme-name [ local ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users.
[Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local Related commands accounting default •...
primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 24
authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Predefined user roles...
authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default. Syntax In non-FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode:...
# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands • authentication default hwtacacs scheme • ldap scheme •...
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Default The default authentication method of the ISP domain is used for portal users. Views ISP domain view Predefined user roles network-admin Parameters ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication.
Page 29
Syntax In non-FIPS mode: authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication ppp In FIPS mode: authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]...
[Sysname-isp-test] authentication ppp radius-scheme rd local Related commands • authentication default hwtacacs scheme • • local-user radius scheme • authentication super Use authentication super to specify a method for user role authentication. Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } undo authentication super...
Examples # Configure ISP domain test to use HWTACACS scheme tac for user role authentication. <Sysname> system-view [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac Related commands • authentication default hwtacacs scheme • • radius scheme authorization command Use authorization command to specify the command authorization method.
When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user role. The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server.
Page 33
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default Default The default authorization method of an ISP domain is local. Views ISP domain view Predefined user roles network-admin...
Related commands hwtacacs scheme • local-user • • radius scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. Syntax In non-FIPS mode: authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }...
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization lan-access local # Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization lan-access radius-scheme rd local Related commands authorization default •...
FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory, but they • do not have the access permission to the root directory. Other login users are assigned the default user role. For more information about the default user •...
undo authorization portal Default The default authorization method of the ISP domain is used for portal users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local authorization. none: Does not perform authorization. An authenticated portal user directly accesses the network. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 38
Syntax In non-FIPS mode: authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization ppp In FIPS mode: authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]...
[Sysname] domain test [Sysname-isp-test] authorization-attribute idle-cut 30 10240 Related commands display domain display domain Use display domain to display the ISP domain configuration. Syntax display domain [ isp-name ] Views Any view Predefined user roles network-admin network-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.
Page 41
Idle-cut : Enabled Idle timeout: 2 minutes Flow: 10240 bytes IP pool: appy Session time: Include idle time Default domain name: system Table 1 Command output Field Description Domain ISP domain name. State Status of the ISP domain. Limit to the number of user connections. If the number is not limited, Access limit this field displays Disabled.
Field Description Command authorization scheme Command line authorization method. Command accounting scheme Command line accounting method. Super authentication scheme Authentication method for obtaining a temporary user role. domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain.
domain if-unknown • • state (ISP domain view) domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable...
Syntax domain if-unknown isp-domain-name undo domain if-unknown Default No ISP domain is specified for users that include unknown domain names. Views System view Predefined user roles network-admin Parameters isp-domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain the forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Default The device does not include the idle cut period or online detection interval in the user online duration sent to the server. Views ISP domain view Predefined user roles network-admin Usage guidelines Configure the idle cut period feature based on the accounting policy in your network. If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.
Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services.
[Sysname] local-user abc [Sysname-luser-manage-abc] access-limit 5 Related commands display local-user authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device. Usage guidelines Configure authorization attributes according to the application environments and purposes.
Views Local user view Predefined user roles network-admin Parameters call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.
Page 50
Views Any view Predefined user roles network-admin network-operator Parameters class: Specifies the local user type. • manage: Device management user. network: Network access user. • idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specific type of service.
Page 51
Password aging: Enabled (3 days) Network access user jj: State: Active Service Type: Lan-access User Group: system Bind Attributes: IP Address: 2.2.2.2 Location Bound: 3/3/2 (slot/subslot/port) MAC Address: 0001-0001-0001 VLAN ID: Calling Number: Authorization Attributes: Idle TimeOut: 33 (min) Work Directory: flash: ACL Number: 2000...
Field Description This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: • Whether the password can contain the username or the reverse of the Password complexity username. • Whether the password can contain any character repeated consecutively three or more times.
Table 3 Command output Field Description Idle TimeOut Idle timeout period, in minutes. Callback-number Authorized PPP callback number. Work Directory Directory that FTP, SFTP, or SCP users in the group can access. ACL Number Authorization ACL. VLAN ID Authorized VLAN. Password control configurations Password control attributes that are configured for the user group.
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 1 1 1 to user group abc. <Sysname> system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-user Use local-user to add a local user and enter local user view.
ssh: SSH users. • • telnet: Telnet users. terminal: Terminal users who log in through console ports, AUX ports, or async ports. • Usage guidelines If you do not specify the class { manage | network } option, this command adds a device management user.
hash: Sets a hashed password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. • In non-FIPS mode: A cipher password is a string of 1 to 1 17 characters. A hashed password is a string of 1 to 1 10 characters. A plaintext password is a string of 1 to 63 characters.
Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles network-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
Parameters set with the accounting-on enable command take effect immediately. Examples # Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 Related commands display radius scheme...
attribute 25 car Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters. Use undo attribute 25 car to restore the default. Syntax attribute 25 car undo attribute 25 car Default The RADIUS class attribute is not interpreted as CAR parameters.
Predefined user roles network-admin Parameters ip ipv4-address: Specifies a DAE client by its IPv4 address. ipv6 ipv6-address: Specifies a DAE client by its IPv6 address. key { cipher | simple } string: Sets the shared key for secure communication between the RADIUS DAE client and server.
Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 64
Primary Auth Server: : 2.2.2.2 Port: 1812 State: Active VPN : vpn1 Test profile: 132 Probe username: test Probe interval: 60 minutes Primary Acct Server: IP : 1.1.1.1 Port: 1813 State: Active VPN : Not configured Second Auth Server: IP : Not configured Port: 1812 State: Block VPN : Not configured...
Page 65
Field Description Second Acct Server Information about the secondary accounting server. IP address of the server. If no server is configured, this field displays Not configured. Service port number of the server. If no port number is specified, this field Port displays the default port number.
Field Description RADIUS attribute 15 check mode for SSH, FTP, and terminal users: • Strict—The device matches the SSH, FTP, and terminal services to the Attribute 15 check-mode extended Login-Service attribute values of 50, 51, and 52, respectively. • Loose—The device matches the SSH, FTP, and terminal services to the standard Login-Service attribute value of 0.
Field Description Acct. Accounting packets. SessCtrl. Session-control packets. Request Packet Number of request packets. Retry Packet Number of retransmitted request packets. Timeout Packet Number of request packets timed out. Access Challenge Number of access challenge packets. Account Start Number of start-accounting packets. Account Update Number of accounting update packets.
simple: Sets a plaintext shared key. string: Specifies the shared key string. This argument is case sensitive. In non-FIPS mode: • A ciphertext shared key is a string of 1 to 1 17 characters. A plaintext shared key is a string of 1 to 64 characters. In FIPS mode: •...
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. HP recommends you to configure a loopback interface address as the source IP address for outgoing RADIUS packets.
undo port Default The port number is 3799. Views RADIUS DAE server view Predefined user roles network-admin Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines The destination port in DAE packets on the DAE client must be the same as the RADIUS DAE server port on the DAE server.
Page 71
port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813. key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command. When you specify a test profile for the primary authentication server, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters. interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60. Usage guidelines You can execute this command multiple times to configure multiple test profiles.
[Sysname] radius dynamic-author server [Sysname-radius-da-server] Related commands client • port • radius dscp Use radius dscp to change the DSCP priority of RADIUS packets. Use undo radius dscp to restore the default. Syntax radius [ ipv6 ] dscp dscp-value undo radius [ ipv6 ] dscp Default The DSCP priority of RADIUS packets is 0.
Page 76
Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface. Views System view Predefined user roles network-admin Parameters ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Related commands nas-ip (RADIUS scheme view) radius session-control enable Use radius session-control enable to enable the session-control feature. Use undo radius session-control enable to restore the default. Syntax radius session-control enable undo radius session-control enable Default The session-control feature is disabled and the UDP port 1812 is closed. Views System view Predefined user roles...
Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. The device supports at most 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands...
Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response •...
considers that a line or device failure has occurred, and stops accounting for the user. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
Page 81
port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813. key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.
Page 83
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.
undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] * Default All types of notifications for RADIUS are enabled. Views System view Predefined user roles network-admin Parameters accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.
Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state.
Page 87
Syntax state secondary { accounting | authentication } [ ip-address [ port-number | vpn-instance vpn-instance-name ] * ] { active | block } Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters...
[Sysname-radius-radius1] state secondary authentication block Related commands • display radius scheme radius-server test-profile • • state primary timer quiet (RADIUS scheme view) Use timer quiet to set the quiet timer for the servers specified in an RADIUS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet...
Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
undo timer response-timeout Default The RADIUS server response timeout period is 3 seconds. Views RADIUS scheme view Predefined user roles network-admin Parameters seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server. without-domain: Excludes the ISP domain name from the username sent to the RADIUS server. Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.
Usage guidelines The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified. Examples # Specify VPN test for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] vpn-instance test Related commands display radius scheme HWTACACS commands data-flow-format (HWTACACS scheme view)
Related commands display hwtacacs scheme display hwtacacs scheme Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes. Syntax display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ] Views Any view Predefined user roles network-admin network-operator Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Response Timeout Interval(seconds) Username Format : with-domain ------------------------------------------------------------------ Table 7 Command output Field Description Index Index number of the HWTACACS scheme. Primary Auth Server Primary HWTACACS authentication server. Primary Author Server Primary HWTACACS authorization server. Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server.
Page 95
Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets. Syntax hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default The source IP address of a packet sent to the server is the IP address of the outbound interface.
Examples # Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1. <Sysname> system-view [Sysname] hwtacacs nas-ip 129.10.10.1 Related commands nas-ip (HWTACACS scheme view) hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme.
Page 97
Syntax key { accounting | authentication | authorization } { cipher | simple } string undo key { accounting | authentication | authorization } Default No shared key is configured. Views HWTACACS scheme view Predefined user roles network-admin Parameters accounting: Sets the shared key for secure HWTACACS accounting communication. authentication: Sets the shared key for secure HWTACACS authentication communication.
Related commands display hwtacacs scheme nas-ip (HWTACACS scheme view) Use nas-ip to specify a source address for outgoing HWTACACS packets. Use undo nas-ip to delete a source address for outgoing HWTACACS packets. Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip [ ipv6 ] Default The source IP address of an outgoing HWTACACS packet is the IP address configured by using the...
TCP connection each time it exchanges accounting packets with the primary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.
Page 101
TCP connection each time it exchanges authentication packets with the primary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
TCP connection each time it exchanges authorization packets with the primary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server. Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings.
TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.
Page 106
TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
Page 108
TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. If the HWTACACS server supports the single-connection method, HP recommends that you specify this keyword to reduce TCP connections for improving system performance.
timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views HWTACACS scheme view Predefined user roles...
Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.
Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1. <Sysname>...
Examples # Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify a VPN for an HWTACACS scheme.
Use undo authentication-server to remove the LDAP authentication server. Syntax authentication-server server-name undo authentication-server server-name Default No LDAP authentication server is specified. Views LDAP scheme view Predefined user roles network-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.
Page 114
Examples # Display the configuration of all LDAP schemes. <Sysname> display ldap scheme Total 1 LDAP schemes ------------------------------------------------------------------ LDAP Scheme Name : ldap-sch Authentication Server : cc : 2.2.2.2 Port : 389 VPN Instance LDAP Protocol Version : LDAPv2 Server Timeout Interval : 10 (seconds) Login Account DN : lda...
Field Description Username Format Format for the username sent to the server. Use ip to configure the IP address and port number of the LDAP server. Use undo ip to delete the LDAP server IP address and port number. Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default...
Use undo ipv6 to delete the LDAP server IPv6 address and port number. Syntax ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ipv6 Default An LDAP server does not have an IP address. Views LDAP server view Predefined user roles network-admin Parameters...
Views System view Predefined user roles network-admin Parameters ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An LDAP scheme can be referenced by more than one ISP domain at the same time. You can configure up to 16 LDAP schemes. Examples # Create an LDAP scheme named ldap1 and enter LDAP scheme view.
login-dn Use login-dn to specify the administrator DN. Use undo login-dn to remove the configuration. Syntax login-dn dn-string undo login-dn Default No administrator DN is specified. Views LDAP server view Predefined user roles network-admin Parameters dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.
Views LDAP server view Predefined user roles network-admin Parameters cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. If simple is specified, the password must be a string of 1 to 128 characters. •...
v3: Specifies the LDAP version LDAPv3. Usage guidelines For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server. If you change the LDAP version, the change is effective only for LDAP authentication that occurs after your change.
search-scope Use search-scope to specify the user search scope. Use undo search-scope to restore the default. Syntax search-scope { all-level | single-level } undo search-scope Default The user search scope is all-level. Views LDAP server view Predefined user roles network-admin Parameters all-level: Specifies that the search goes through all subdirectories of the base DN.
Predefined user roles network-admin Parameters time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds. Usage guidelines If you change the LDAP server timeout period, the change is effective only for LDAP authentication that occurs after your change. Examples # Set the LDAP server timeout period to 15 seconds.
Page 123
Usage guidelines If the username on the LDAP server does not contain the domain name, specifies the without-domain keyword. If the username contains the domain name, specify the with-domain keyword. Examples # Set the user object class to person. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] user-parameters user-object-class person Related commands...
802.1X commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Ethernet interface view are available only on the following ports: The fixed Layer 2 Ethernet ports on the MSR1000, MSR2004-24 and MSR2004-48 routers.
Page 125
Reauth period : 3600 s Max auth requests SmartOn switch ID : 30 SmartOn supp timeout : 30 s SmartOn retry counts Domain delimiter Max 802.1X users : 1024 per slot Online 802.1X users GigabitEthernet2/1/1 is link-down 802.1X authentication : Enabled Handshake : Enabled Handshake security...
Page 126
Field Description Performs EAP termination and uses CHAP to communicate with the RADIUS server. CHAP authentication: Enabled If EAP or PAP is enabled, this field is not available. Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. EAP authentication: Enabled If CHAP or PAP is enabled, this field is not available.
Field Description Mandatory auth domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port. Guest VLAN If no 802.1X guest VLAN is configured on the port, this field displays Not configured. 802.1X Auth-Fail VLAN configured on the port. Auth-Fail VLAN If no 802.1X Auth-Fail VLAN is configured on the port, this field displays Not configured.
Page 128
# Display information about all online 802.1X users on the MSR1000, MSR2000 or MSR3000 router. <Sysname> display dot1x connection User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet2/1/1 Username: ias Authentication domain: HP IPv4 address: 192.168.1.1 IPv6 address: 2000:0:0:0:1:2345:6789:abcd Authentication method: CHAP Initial VLAN: 1...
Field Description Action attribute assigned by the server when the session timeout timer expires. • Default—Logs off the online authenticated 802.1X user. This attribute does not take effect when periodic online user reauthentication is enabled and the periodic reauthentication timer is shorter than the Termination action session timeout timer.
PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an HP iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. CHAP is more secure than PAP.
view does not take effect. For more information about the user-name-format command, see "RADIUS commands." Some network access devices provide the EAP server function so you can use EAP relay even if the RADIUS server does not support any EAP authentication method or no RADIUS server is available. Local authentication supports PAP and CHAP.
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x auth-fail vlan 100 Related commands display dot1x dot1x critical vlan Use dot1x critical vlan to configure an 802.1X critical VLAN on a port. Use undo dot1x critical vlan to restore the default. Syntax dot1x critical vlan vlan-id undo dot1x critical vlan Default No 802.1X critical VLAN is configured on any port.
Syntax dot1x domain-delimiter string undo dot1x domain-delimiter Default The device supports only the at sign (@) delimiter for 802.1X users. Views System view Predefined user roles network-admin Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters.
Predefined user roles network-admin Parameters guest-vlan-id: Specifies the ID of the 802.1X guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created. Usage guidelines An 802.1X guest VLAN accommodates users who have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
Examples # Enable the online user handshake function on GigabitEthernet 2/1/1. <Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x handshake Related commands display dot1x • dot1x timer handshake-period • dot1x retry • dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function. Use undo dot1x handshake secure to disable the function.
dot1x mandatory-domain Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port. Use undo dot1x mandatory-domain to remove the mandatory authentication domain. Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Predefined user roles network-admin...
Views Ethernet interface view Predefined user roles network-admin Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 256. Usage guidelines Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused.
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x multicast-trigger Related commands display dot1x • dot1x timer tx-period • dot1x unicast-trigger • dot1x port-control Use dot1x port-control to set the authorization state for the port. Use undo dot1x port-control to restore the default. Syntax dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control...
dot1x port-method Use dot1x port-method to specify an access control method for the port. Use undo dot1x port-method to restore the default. Syntax dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies. Views Ethernet interface view Predefined user roles network-admin Parameters...
Default The quiet timer is disabled. Views System view Predefined user roles network-admin Usage guidelines When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quieter timer.
<Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] dot1x re-authenticate Related commands display dot1x • dot1x timer • dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. This feature keeps authenticated 802.1X users online when no server is reachable for 802.1X reauthentication.
Default The maximum number of attempts that the device can send an authentication request to a client is two. Views System view Predefined user roles network-admin Parameters max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client.
When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends a unicast EAP-Request/Notification packet to the client. The client will respond with an EAP-Response/Notification packet, which contains the SmartOn switch ID and the MD5 digest of the SmartOn password. If the SmartOn switch ID and MD5 digest in the packet match the SmartOn switch ID and MD5 digest on the device, the device continues to perform 802.1X authentication for the client.
If you execute the dot1x smarton password command multiple times, the most recent configuration takes effect. Examples # Set the SmartOn password to abc in plain text. <Sysname> system-view [Sysname] dot1x smarton password simple abc Related commands • display dot1x dot1x smarton •...
dot1x smarton timer supp-timeout • dot1x smarton switchid Use dot1x smarton switchid to configure a SmartOn switch ID. Use undo dot1x smarton switchid to restore the default. Syntax dot1x smarton switchid switch-string undo dot1x smarton switchid Default No SmartOn switch ID is configured. Views System view Predefined user roles...
Views System view Predefined user roles network-admin Parameters time-value: Sets the SmartOn client timeout timer. The value range is 10 to 120, in seconds. Usage guidelines The SmartOn client timeout timer starts when the device sends an EAP-Request/Notification packet to the client.
Page 148
Predefined user roles network-admin Parameters handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024. quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120. reauth-period reauth-period-value: Sets the periodic reauthentication timer in seconds.
Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity • packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
reset dot1x guest-vlan Use reset dot1x guest-vlan to remove users from the 802.1X guest VLAN on a port. Syntax reset dot1x guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN.
MAC authentication commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Ethernet interface view are available only on the following ports: The fixed Layer 2 Ethernet ports on the MSR1000, MSR2004-24 and MSR2004-48 routers.
Page 152
Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index 0001-0000-0000 GigabitEthernet2/1/2 0001-0000-0000 GigabitEthernet2/1/3 0001-0000-0000 GigabitEthernet2/1/4 GigabitEthernet2/1/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Enabled Auth-delay period : 60 s Re-auth server-unreachable : Logoff Host mode : Multiple VLAN...
Field Description MAC authentication domain specified in system view. Authentication domain If no authentication domain is specified in system view, this field displays "Not configured, use default domain." Max MAC-auth users Maximum number of MAC authentication users each card supports. Online MAC-auth users Number of online MAC authentication users.
Page 154
# Display information about all online MAC authentication users on the MSR1000, MSR2000 or MSR3000 router. <Sysname> display mac-authentication connection User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet2/1/1 Username: ias Authentication domain: HP Initial VLAN: 1 Authorization untagged VLAN: 100 Authorization ACL ID: 3001 Authorization user profile: N/A Termination action: Radius-request...
Authorization ACL ID: 3001 Authorization user profile: N/A Termination action: Radius-request Session timeout period: 2 s Online from: 2013/03/02 13:14:15 Online duration: 0h 2m 15s Total 1 connection(s) matched. Table 13 Command output Field Description Slot ID Slot number of the card. (MSR4000.) User MAC address MAC address of the user.
Syntax mac-authentication undo mac-authentication Default MAC authentication is not enabled globally or on any port. Views System view, Ethernet interface view Predefined user roles network-admin Usage guidelines To use MAC authentication on a port, you must enable the feature both globally and on the port. Examples # Enable MAC authentication globally.
Usage guidelines The global authentication domain applies to all MAC authentication-enabled ports. A port-specific authentication domain applies only to the port. You can specify different authentication domains on different ports. A port chooses an authentication domain for MAC authentication users in this order: Authentication domain specified on the port.
When the MAC authentication multi-VLAN mode is enabled, do not specify authorization VLANs for MAC authentication users on the port. Examples # Enable MAC authentication multi-VLAN mode on GigabitEthernet 2/1/1. <Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] mac-authentication host-mode multi-vlan Related commands display mac-authentication mac-authentication max-user...
Use undo mac-authentication re-authenticate server-unreachable to restore the default. Syntax mac-authentication re-authenticate server-unreachable keep-online undo mac-authentication re-authenticate server-unreachable Default The keep-online feature is disabled. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication. Views Ethernet interface view Predefined user roles...
Predefined user roles network-admin Parameters offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535, in seconds. quiet quiet-value: Sets the quiet timer in the range of 1 to 3600, in seconds. server-timeout server-timeout-value: Sets the server timeout timer in the range of 100 to 300, in seconds. Usage guidelines MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before the device...
Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
simple: Sets a plaintext password. password: Specifies the password. This argument is case sensitive. If simple is specified, the password must be a string of 1 to 1 17 characters. If cipher is specified, the password must be a ciphertext string of 1 to 88 characters. mac-address: Uses MAC-based user accounts for MAC authentication users.
Page 163
Parameters interface interface-type interface-number: Specifies a port by its type and number. Usage guidelines If you do not specify a port, the command clears all global and port-specific MAC authentication statistics. Examples # Clear MAC authentication statistics on port GigabitEthernet 2/1/1. <Sysname>...
Portal commands display portal interface Use display portal interface to display portal configuration and portal running state on an interface. Syntax display portal interface interface-type interface-number Views Any view Predefined user roles network-admin network-operator Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Display portal configuration and portal running state on interface GigabitEthernet 2/1/1.
Page 165
Authentication domain: my-domain BAS-IPv6:Not configured User detection: Type: ICMPv6 Interval: 300s Attempts: 5 Idle time: 180s Action for server detection: Server type Server name Action Web server wbsv6 fail-permit Portal server ptsv6 fail-permit Layer3 source network: IP address Prefix length 11::5 Destination authentication subnet: IP address...
Field Description Destination authentication Information of the portal authentication destination subnet. subnet IP address IP address of the portal authentication subnet. Mask Subnet mask of the portal authentication subnet. Prefix length Prefix length of the IPv6 portal authentication subnet address. Related commands portal domain •...
Page 167
ACK_CHALLENGE REQ_AUTH ACK_AUTH REQ_LOGOUT ACK_LOGOUT AFF_ACK_AUTH NTF_LOGOUT REQ_INFO ACK_INFO NTF_USERDISCOVER NTF_USERIPCHANGE AFF_NTF_USERIPCHAN ACK_NTF_LOGOUT NTF_HEARTBEAT NTF_USER_HEARTBEAT ACK_NTF_USER_HEARTBEAT NTF_CHALLENGE NTF_USER_NOTIFY AFF_NTF_USER_NOTIFY Table 15 Command output Field Description Portal server Name of the portal authentication server. Invalid packets Number of invalid packets. Pkt-Type Packet type.
Field Description REQ_INFO Information request packet. ACK_INFO Information acknowledgement packet. User discovery notification packet the portal authentication server sent to the NTF_USERDISCOVER access device. User IP change notification packet the access device sent to the portal NTF_USERIPCHANGE authentication server. User IP change success notification packet the portal authentication server AFF_NTF_USERIPCHAN sent to the access device.
Page 169
Parameters all: Displays all portal rules, including dynamic and static portal rules. dynamic: Displays dynamic portal rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface. static: Displays static portal rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.
Page 170
Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : GigabitEthernet2/1/1 VLAN : Any Protocol : TCP Destination: : 0.0.0.0 Mask : 0.0.0.0 Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : GigabitEthernet2/1/1 VLAN...
Page 171
: 0015-e9a6-7cfe Interface : GigabitEthernet2/1/1 VLAN : Any Author ACL: Number : 3001 Rule 3 Type : Static Action : Redirect Status : Active Source: : :: Prefix length Interface : GigabitEthernet2/1/1 VLAN : Any Protocol : TCP Destination: : :: Prefix length Port : 80...
Field Description Transport layer protocol permitted by the portal rule: • Any—Permits any transport layer protocol. Protocol • TCP—Permits TCP. • UDP—Permits UDP. Status of the portal rule: • Status Active—The portal rule is effective. • Unactuated—The portal rule is not activated. Source Source information of the portal rule.
Page 173
Parameters server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines If you do not specify the server-name argument, this command displays information about all portal authentication servers. Examples # Display information about portal authentication server pts. <Sysname>...
display portal user Use display portal user to display information about portal users. Syntax display portal user { all | interface interface-type interface-number } Views Any view Predefined user roles network-admin network-operator Parameters all: Displays information about portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number.
Field Description Authorized ACL for the portal user. If the portal user does not have an Authorization ACL authorized ACL, this field displays None. MPLS L3VPN where the portal user resides. If the portal user is on a public VPN instance network, this field displays two hyphens (--).
Page 176
Table 19 Command output Field Description Portal Web server Name of the portal Web server. URL of the portal Web server. URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides. Parameters for portal Web server detection: •...
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN where the portal authentication server resides by the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server is on the public network, do not specify this option. key: Specifies a shared key for communication with the portal authentication server.
Parameters ipv6-address: Specifies the IP address of the IPv6 portal authentication server. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN where the portal authentication server resides by the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server is on the public network, do not specify this option.
Predefined user roles network-admin Parameters port-id: Specifies a destination UDP port number the access device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534. Usage guidelines The specified port must be the port that listens to portal packets on the portal authentication server. Examples # Configure the destination UDP port number as 50000 for the device to send unsolicited portal packets to portal authentication server pts.
IPv4 or IPv6 address specified on the portal authentication server. You must configure the BAS-IP/BAS-IPv6 attribute on an authentication-enabled interface if the portal device IPv4 or IPv6 address specified on an HP IMC portal authentication server is not the IPv4 or IPv6 address of the interface.
server-name: Specifies a portal Web server to be referenced on the interface by its name, a case-sensitive string of 1 to 32 characters. The name must already exist. fail-permit: Enables the portal fail-permit function on the interface. The portal fail-permit function allows portal users to access the Internet without authentication when the portal Web server is unreachable.
Related commands display portal user portal domain Use portal [ ipv6 ] domain to configure a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain. Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain. Syntax portal [ ipv6 ] domain domain-name undo portal [ ipv6 ] domain...
undo portal [ ipv6] fail-permit server Default Portal fail-permit is disabled for the portal authentication server. Views Interface view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server.
Views Interface view Predefined user roles network-admin Parameters ipv4-network-address: Specifies an IPv4 portal authentication subnet address. mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to mask: Specifies the subnet mask in dotted decimal format. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules).
Page 186
Default No IP-based portal-free rule is configured. Views System view Predefined user roles network-admin Parameters rule-number: Specifies a portal-free rule number in the range of 0 to 4294967295. destination: Specifies the destination information. source: Specifies the source information. ip ip-address: Specifies an IPv4 address for the portal-free rule. { mask-length | mask }: Specifies the subnet mask of the IPv4 address.
Default No IPv6 portal authentication source subnet is configured on the interface. Portal users from any IPv6 subnet must pass portal authentication. Views Interface view Predefined user roles network-admin Parameters ipv6-network-address: Specifies an IPv6 portal authentication source subnet address. prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128. Usage guidelines With IPv6 authentication source subnets configured, only packets from IPv6 users on the authentication source subnets can trigger portal authentication.
Page 190
Views Interface view Predefined user roles network-admin Parameters type: Specifies the type of detection packets. nd—ND packets. • icmpv6—ICMPv6 packets. • retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10, and the default is 3.
portal max-user Use portal max-user to set the maximum number of total portal users allowed in the system. Use undo portal max-user to restore the default. Syntax portal max-user max-number undo portal max-user Default The total number of portal users allowed in the system is not limited. Views System view Predefined user roles...
Predefined user roles network-admin Usage guidelines This command applies only to portal users that log in from VLAN interfaces. If portal roaming is enabled, an online portal user can access network resources from any Layer 2 port in its local VLAN. If portal roaming is disabled, the portal user can access network resources only from the Layer 2 port on which it passes authentication.
Examples # Create portal authentication server pts and enter its view. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] Related commands display portal server portal user-detect Use portal user-detect to enable online detection of IPv4 portal users on an interface. Use undo portal user-detect to restore the default. Syntax portal user-detect type { arp | icmp } [ retry retries] [ interval interval ] [ idle time ] undo portal user-detect...
If the device receives a reply, it stops sending detection packets. Then the device restarts the idle • timer and waits for the packets from the user. Direct authentication and re-DHCP authentication support both ARP detection and ICMP detection. Cross-subnet authentication only supports ICMP detection. If firewall policies on the access device filter out ICMP packets, ICMP detection might fail and result in the logout of portal users.
Predefined user roles network-admin Parameters timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds. { log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal authentication server.
Predefined user roles network-admin Parameters interval interval: Specifies a detection interval in the range of 10 to 1200 seconds. The default is 20 seconds. retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10. The default is 3.
Predefined user roles network-admin Parameters url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters. Usage guidelines This command specifies a URL that can be accessed through standard HTTP or HTTPS. The URL should start with http:// or https://.
If you configure a URL parameter multiple times, the most recent configuration takes effect. After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to a portal users. For example, assume that the URL of a portal Web server is http://www.test.com/portal, and you execute the url-parameter userip source-address and url-parameter userurl value http://www.test.com/welcome commands.
authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device. Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.
Page 202
Examples # Configure the MPLS L3VPN for portal Web server wbs as abc. <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] vpn-instance abc...
Port security commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The commands configured in Layer 2 Ethernet interface view are available only on the following ports: The fixed Layer 2 Ethernet ports on the MSR1000, MSR2004-24 and MSR2004-48 routers.
Page 204
Max secure MAC addresses : 64 Current secure MAC addresses : 1 Authorization : Permitted Table 20 Command output Field Description Port security Status of the port security feature: Enabled or Disabled. AutoLearn aging time Sticky MAC address aging timer, in minutes. Disableport timeout Silence period (in seconds) of the port that receives illegal packets.
Field Description Current secure MAC addresses Number of secure MAC addresses stored. Indicates whether the authorization information from the authentication server (RADIUS server or local device) is ignored or not: • Authorization Permitted—Authorization information from the authentication server takes effect. •...
Page 206
MAC ADDR Port VLAN ID 000f-3d80-0d2d GE2/1/1 --- On slot 2, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses on the MSR1000, MSR2000 or MSR3000 router. <Sysname> display port-security mac-address block count --- 2 mac address(es) found --- # Display the count of all blocked MAC addresses on the MSR4000 router.
<Sysname> display port-security mac-address block interface gigabitethernet 2/1/1 MAC ADDR Port VLAN ID 000f-3d80-0d2d GE2/1/1 --- On slot 2, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port GigabitEthernet 2/1/1 in VLAN 1 on the MSR1000, MSR2000 or MSR3000 router.
Page 208
Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. count: Displays only the count of the secure MAC addresses. Usage guidelines If you do not specify any parameters, the command displays information about all secure MAC addresses.
1 mac address(es) found Table 22 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address added. Security means it is a secure MAC STATE address.
<Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] port-security authorization ignore Related commands display port-security port-security enable Use port-security enable to enable port security. Use undo port-security enable to disable port security. Syntax port-security enable undo port-security enable Default Port security is disabled. Views System view Predefined user roles...
Use undo port-security intrusion-mode to restore the default. Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode Default Intrusion protection is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses.
Examples # Enable port security, set port GigabitEthernet 2/1/1 in autoLearn mode, and set the maximum number of secure MAC addresses allowed on the port to 100. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] port-security max-mac-count 100 [Sysname-GigabitEthernet2/1/1] port-security port-mode autolearn # Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.
Examples # Enable MAC move. <Sysname> system-view [Sysname] port-security mac-move permit Related commands display port-security port-security max-mac-count Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port. Use undo port-security max-mac-count to restore the default. Syntax port-security max-mac-count count-value undo port-security max-mac-count...
Related commands display port-security port-security ntk-mode Use port-security ntk-mode to configure the NTK feature. Use undo port-security ntk-mode to restore the default. Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default NTK is disabled on a port and all frames are allowed to be sent. Views Layer 2 Ethernet interface view Predefined user roles...
Syntax port-security oui index index-value mac-address oui-value undo port-security oui index index-value Default No OUI value is configured. Views System view Predefined user roles network-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.
Page 217
Default A port operates in noRestrictions mode, where port security does not take effect. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address but to the secure MAC address table as secure MAC addresses.
Page 218
The port security automatically modifies these settings in different security modes. HP recommends that you do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where the MAC authentication delay is enabled. The two modes are mutually exclusive...
with the MAC authentication delay function. For more information about MAC authentication delay, see "MAC authentication commands." Examples # Enable port security and configure port GigabitEthernet 2/1/1 to operate in secure mode. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 2/1/1 to userLogin.
Related commands display port-security • port-security mac-address security • port-security timer disableport Use port-security timer disableport to set the silence period during which the port remains disabled. Use undo port-security timer disableport to restore the default. Syntax port-security timer disableport time-value undo port-security timer disableport Default The port silence period is 20 seconds.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Password composition: Enabled (1 types, 1 characters per type) Table 23 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction function is enabled Password length and, if enabled, the setting.
Parameters user-name name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any arguments, this command displays information about all users in the password control blacklist.
Default The password control functions (aging, composition, history, and length) are all enabled. Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function.
Page 225
Use undo password-control aging to restore the default. Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs.
password-control aging enable • password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default...
setting. The password complexity checking policy for a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times.
Page 228
Default In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type. In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.
type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: The policy in system view has global significance and applies to all user groups.
Default In non-FIPS mode, the password control feature is disabled globally. In FIPS mode, the password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control function takes effect only after the global password control feature is enabled.
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10 and 0 means that a user cannot log in after the password expires. Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.
Related commands display password-control • password-control history enable • • reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode, the global minimum password length is 10 characters.
<Sysname> system-view [Sysname] password-control length 16 # Set the minimum password length to 16 characters for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for device management user abc. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control length 16 Related commands...
Related commands display password-control password-control login-attempt Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached. Use undo password-control login-attempt to restore the default. Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt...
Page 235
If an FTP or VTY user fails to log in after making the maximum login attempts, the system adds the user account and the user's IP address to the password control blacklist. This user account is locked for only this user. Other users can still use this user account, and the blacklisted user can use other user accounts. Whether a blacklisted user and user account are locked depends on the locking setting: If a user account is permanently locked for a user, the user cannot use this account unless this user •...
# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this user account. Related commands display local-user • display password-control • display password-control blacklist • • display user-group reset password-control blacklist •...
Default In non-FIPS mode, a super password must contain at least one character type and at least one character for each type. In FIPS mode, a super password must contain at least four character types and at least one character for each type.
Predefined user roles network-admin Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 16 characters. <Sysname>...
reset password-control blacklist Use reset password-control blacklist to remove blacklisted users. Syntax reset password-control blacklist [ user-name name ] Views User view Predefined user roles network-admin Parameters user-name name: Specifies the username of a user account to be removed from the password control blacklist.
Page 240
If you do not specify the role role name option, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm). <Sysname> reset password-control history-record Are you sure to delete all local user's history records? [Y/N]:y Related commands password-control history...
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 242
Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys.
Page 243
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12...
Page 244
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.
Field Description Key code Public key string. # Display brief information about all peer public keys. <Sysname> display public-key peer brief Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 28 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits.
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818 100C0EC8014F82515F6335A0A [Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public display public-key peer • • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default...
Page 248
The key pairs are automatically saved and can survive system reboots. Table 30 A comparison of different types of asymmetric key pairs Type Number of key pairs Modulus length HP recommendation • In non-FIPS mode: If you specify a key pair name, the command creates a host key pair.
Page 249
..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 251
Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Confirm to destroy the key pair? [Y/N]:y Related commands public-key local create public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views...
Page 253
Examples # Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub. <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub # Display the host public key of the local DSA key pair with the default name in SSH2.0 format. <Sysname>...
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98 qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEY ZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key Related commands public-key local create • public-key peer import sshkey • public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.
Page 255
Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } command to display the host public key in the specified format, copy and paste it to a file. Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file.
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HP device, use the display public-key local public command to display and record its public key.
Related commands display public-key local public • display public-key peer • • peer-public-key end public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname...
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure an attribute rule for certificate issuer name, subject name, or alternative subject name.
Each of the subject name and the issuer name can contain only one DN, but they can contain • multiple FQDNs and IP addresses. The alternative subject name cannot contain the DN, but it can contain multiple FQDNs and IP •...
Syntax ca identifier name undo ca identifier Default No trusted CA is specified. Views PKI domain view Predefined user roles network-admin Parameters name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate, you must specify the trusted CA name.
Usage guidelines A PKI entity describes the identity attributes of an entity for certificate request, including the following information: Common name. • • Organization. Unit in the organization. • Locality. • State and country where the entity resides. • FQDN. •...
An independent RA is recommended as the authority to accept certificate requests. Examples # Specify the RA to accept certificate requests. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request from ra certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default.
Examples # Set the certificate request mode to auto. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto # Set the certificate request mode to auto, and set a plaintext password for certificate revocation to 123456. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto password simple 123456 Related commands...
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request polling interval 15 [Sysname-pki-domain-aaa] certificate request polling count 40 Related commands display pki certificate request-status certificate request url Use certificate request url to specify the URL of the registration server for certificate request through the SCEP protocol.
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request url http:// mytest.net /certsrv/mscep/mscep.dll vpn-instance vpn1 common-name Use common-name to set the common name for a PKI entity. Use undo common-name to remove the configuration. Syntax common-name common-name-sting undo common-name Default No common name is set for a PKI entity.
Parameters country-code-string: Specifies a country code, a case-sensitive string of two characters, for example, CN for China. Examples # Set CN as the country code of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] country CN crl check Use crl check enable to enable CRL checking.
Page 267
Syntax crl url url-string [ vpn-instance vpn-instance-name ] undo crl url Default The URL of the CRL repository is not specified. Views PKI domain view Predefined user roles network-admin Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 51 1 characters in the format of ldap://server_location or http://server_location, where server_location can be an IP address or a domain name.
Related commands ldap-server • pki retrieve-crl • display pki certificate access-control-policy Use display pki certificate access-control-policy to display information about certificate access control policies. Syntax display pki certificate access-control-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies the name of a certificate access control policy, a case-insensitive string of 1 to 31 characters.
Field Description If the attributes of a certificate match the attribute rules defined in the permit attribute group that the policy references, the certificate passes the check and is regarded valid. If the attributes of a certificate match the attribute rules defined in the deny attribute group that the policy references, the certificate fails the check and is regarded invalid.
Attribute 2 issuer-name fqdn nctn Table 33 Command output Field Description Total PKI certificate attribute groups Total number of certificate attribute groups. Contain operation. nctn Not-contain operation. Equal operation. nequ Not-equal operation. Attribute rule 1 defines that the DN in the subject name Attribute 1 subject-name ctn abc contains the string of abc.
Page 271
If you specify the peer keyword without a serial number, this command displays brief information about all peer certificates. If you specify a serial number, this command display detailed information about the specified peer certificate. Examples # Display information about the CA certificate in the PKI domain aaa. <Sysname>...
Page 272
Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, O=sec, OU=software, CN=ipsec Validity Not Before: Jan 7 20:05:44 2011 GMT Not After : Jan 7 20:05:44 2012 GMT Subject: O=OpenCA Labs, OU=Users, CN=fips fips-sec Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39: 52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67:...
Page 273
URI:http://titan/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 94:ef:56:70:48:66:be:8f:9d:bb:77:0f:c9:f4:65:77:e3:bd: ea:9a:b8:24:ae:a1:38:2d:f4:ab:e8:0e:93:c2:30:33:c8:ef: f5:e9:eb:9d:37:04:6f:99:bd:b2:c0:e9:eb:b1:19:7e:e3:cb: 95:cd:6c:b8:47:e2:cf:18:8d:99:f4:11:74:b1:1b:86:92:98: af:a2:34:f7:1b:15:ee:ea:91:ed:51:17:d0:76:ec:22:4c:56: da:d6:d1:3c:f2:43:31:4f:1d:20:c8:c2:c3:4d:e5:92:29:ee: 43:c6:d7:72:92:e8:13:87:38:9a:9c:cd:54:38:b2:ad:ba:aa: f9:a4:68:b5:2a:df:9a:31:2f:42:80:0c:0c:d9:6d:b3:ab:0f: dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a: 65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28: 04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64: cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver...
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.hp.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5...
Page 275
Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5 Revocation Date: Apr 28 01:33:28 2011 GMT CRL entry extensions: Invalidity Date: Apr 28 01:33:09 2011 GMT Signature Algorithm: sha1WithRSAEncryption 57:ac:00:3e:1e:e2:5f:59:62:04:05:9b:c7:61:58:2a:df:a4: 5c:e5:c0:14:af:c8:e7:de:cf:2a:0a:31:7d:32:da:be:cd:6a: 36:b5:83:e8:95:06:bd:b4:c0:36:fe:91:7c:77:d9:00:0f:9e: 99:03:65:9e:0c:9c:16:22:ef:4a:40:ec:59:40:60:53:4a:fc: 8e:47:57:23:e0:75:0a:a4:1c:0e:2f:3d:e0:b2:87:4d:61:8a: 4a:cb:cb:37:af:51:bd:53:78:76:a1:16:3d:0b:89:01:91:61: 52:d0:6f:5c:09:59:15:be:b8:68:65:0c:5d:1b:a1:f8:42:04: ba:aa Table 35 Command output Field Description Version CRL version number. Signature Algorithm Signature algorithm used by the CA to sign the CRL.
Page 278
Predefined user roles network-admin Parameters fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters. Usage guidelines An FQDN uniquely identifies a PKI entity on a network. It consists of a host name and a domain name in the format of hostname@domainname. Examples # Set pki.domain-name.com as the FQDN of the PKI entity en.
ldap-server Use ldap-server to specify an LDAP server for a PKI domain. Use undo ldap-server to remove the configuration. Syntax ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ] undo ldap-server Default No LDAP server is specified for a domain. Views PKI domain view Predefined user roles...
pki retrieve-crl • locality Use locality to set the locality for a PKI entity. Use undo locality to remove the configuration. Syntax locality locality-name undo locality Default No locality is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters.
Parameters org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set abc as the organization name of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] organization abc organization-unit Use organization-unit to set the organization unit name for a PKI entity.
Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Related commands display pki certificate access-control-policy • rule • pki certificate attribute-group Use pki certificate attribute-group to create a certificate attribute group and enter its view. Use undo pki certificate attribute-group to remove a specified certificate attribute group. Syntax pki certificate attribute-group group-name undo pki certificate attribute-group group-name Default No certificate attribute group exists.
Page 284
Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), backslash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Related commands display pki certificate pki domain Use pki domain to create a PKI domain and enter its view. Use undo pki domain to remove a PKI domain. Syntax pki domain domain-name undo pki domain domain-name Default No PKI domain exists. Views System view Predefined user roles...
Views System view Predefined user roles network-admin Parameters entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines You can configure a variety of attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address.
Page 287
all: Specifies all certificates, including the CA certificate and local certificates in the PKI domain, excluding the RA certificate. ca: Specifies the CA certificate. local :Specifies the local certificates or the local certificates and their private keys. passphrase p12passwordstring: Specifies a password for encrypting the private key of a local PKCS12 certificate.
Page 288
When you export the local certificates or all certificates in PEM format, if you do not specify the cryptographic algorithm and the challenge password for the private key, this command does not export the private keys of the local certificates. If you specify the cryptographic algorithm and the password, and the local certificates have their private keys, this command can export the local certificates with their private keys.
Page 292
dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7 W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format. <Sysname> system-view [Sysname] pki export domain domain1 pem ca filename cacert # Display the CA certificate or the CA certificate chain in the PKI domain on the terminal. <Sysname>...
14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1 cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg== -----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. <Sysname> system-view [Sysname] pki export domain domain1 pkcs12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
Page 294
Use a certificate that is packed with the server generated key pair in a single file. Only certificate • files in PKCS12 or PEM format might contain key pairs. Before you import the certificates, complete the following tasks: Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not •...
Page 295
The import operation automatically updates or generates the proper key pair. When you perform the import operation, be sure to save the configuration file to avoid data loss. Examples # Import the CA certificate file rootca_pem.cer in PEM format to the PKI domain aaa. The certificate file contains the root certificate.
Overwrite it? [Y/N]:y The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name [default name: bbb]: The key pair already exists.
Examples # Display information about the certificate request in the PKCS#10 format. <Sysname> system-view [Sysname] pki request-certificate domain aaa pkcs10 *** Request for general certificate *** -----BEGIN NEW CERTIFICATE REQUEST----- MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5 ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nmdcu5TED6iN8 4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c -----END NEW CERTIFICATE REQUEST----- # Request the local certificates.
You can obtain the CA certificate through the SCEP protocol. If a CA certificate already exists • locally, do not obtain the CA certificate again. To obtain a new one, use the pki delete-certificate command to remove the CA certificate and local certificates, and then obtain the CA certificate again.
vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe ('). Usage guidelines CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain. To obtain CRLs, a PKI domain must have the proper CA certificate.
crls: Specifies a storage path for the CRLs. dir-path: Specifies a storage path, a case-sensitive string, which cannot start with a slash (/) or contains two dots plus a slash (../). The dir-path argument specifies an absolute path or a relative path, and the path must exist.
Page 302
When CRL checking is enabled: • To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save CRLs. If a proper CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device obtains the proper CRL from the CA server and saves it locally.
If RSA is used, a PKI domain can have two key pairs: one is the signing key pair, and the other is • the encryption key pair. In a PKI domain, key pairs for different purposes (RSA signing and RSA encryption) do not overwrite •...
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters, which can include only letters, digits, and hyphen (-). length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024.
Page 306
Syntax In non-FIPS mode: root-certificate fingerprint { md5 | sha1 } string undo root-certificate fingerprint In FIPS mode: root-certificate fingerprint sha1 string undo root-certificate fingerprint Default No fingerprint is set. Views PKI domain view Predefined user roles network-admin Parameters md5: Sets an MD5 fingerprint. sha1: Sets a SHA1 fingerprint.
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup Related commands • attribute display pki certificate access-control-policy • • pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to remove the configuration. Syntax source { ip | ipv6 } { ip-address | interface interface-type interface-number } undo source Default The source IP address is the outgoing interface IP address of the route to the CA.
[Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 1::8 # Specify the IP address of the interface GigabitEthernet 1/0/1 as the source IPv4 address of PKI protocol packets. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface gigabitethernet 1/0/1 # Specify the IPv6 address of the interface GigabitEthernet 1/0/1 as the source IPv6 address of PKI protocol packets.
Page 310
undo usage [ ike | ssl-client | ssl-server ] * Default No extension is specified, and a certificate can be used for all applications, including IKE, SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates.
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is defined. Views IPsec policy view, IPsec policy template view, IPsec profile view Predefined user roles network-admin Parameters...
Page 313
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec policies. •...
Page 314
ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: isakmp ----------------------------- The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Security data flow: Selector mode: standard Local address: Remote address: Transform set: IKE profile:...
Page 315
AH authentication hex key: Outbound ESP setting: ESP SPI: 8000 (0x00001f40) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: isakmp ----------------------------- Description: This is my complete policy Security data flow: 3200 Selector mode: standard Local address: Remote address: 5.3.6.9 Transform set:...
Field Description ESP encryption hex key (****** is displayed if the key is ESP encryption hex key configured). ESP authentication hex key (****** is displayed if the key is ESP authentication hex key configured). Related commands ipsec { ipv6-policy | policy } display ipsec { ipv6-policy-template | policy-template } Use display ipsec { ipv6-policy-template | policy-template } to display information about IPsec policy templates.
--------------------------------- Description: This is policy template Security data flow : IKE profile: None Remote address: 162.105.10.2 Transform set: testprop IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes # Display information about all IPv6 IPsec policy templates. <Sysname>...
Page 319
Syntax display ipsec profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec profiles. Examples # Display information about all IPsec profiles.
Field Description Negotiation mode used by the IPsec profile. Only the manual Mode mode is available. Description Description of the IPsec profile. Transform set IPsec transform set referenced by the IPsec profile. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]...
Page 321
Interface/Global Dst Address Protocol Status ----------------------------------------------------------------------- GE2/1/1 10.1.1.1 active GE2/1/1 255.255.255.255 4294967295 active GE2/1/1 100::1/64 active global active Table 39 Command output Field Description Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec Interface/Global profile).
Page 322
SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max received sequence-number: 5 Anti-replay check enable: Y Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max sent sequence-number: 6...
Field Description Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) • 1024-bit Diffie-Hellman group (dh-group2) Perfect Forward Secrecy • 1536-bit Diffie-Hellman group (dh-group5) • 2048-bit Diffie-Hellman group (dh-group14) • 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) Path MTU Path MTU of the IPsec SA.
Page 324
Syntax display ipsec statistics [ tunnel-id tunnel-id ] Views Any view Predefined user roles network-admin network-operator Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel ID is 0 to 4294967295. You can use the display ipsec tunnel brief command to display the IDs of established IPsec tunnels.
Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets. Examples # Display information about all IPsec transform sets. <Sysname>...
Page 327
Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels. tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel ID is 0 to 4294967295.
Page 328
<Sysname> display ipsec tunnel count Total IPsec Tunnel Count: 2 # Display information about all IPsec tunnels. <Sysname> display ipsec tunnel Tunnel ID: 0 Status: active Perfect forward secrecy: SA's SPI: outbound: 2000 (0x000007d0) [AH] inbound: 1000 (0x000003e8) [AH] outbound: 4000 (0x00000fa0) [ESP]...
Table 44 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. Status IPsec tunnel status. Only active is available. Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: • 768-bit Diffie-Hellman group (dh-group1) •...
Usage guidelines IPsec supports the following encapsulation modes: Transport mode—The security protocols protect the upper layer data of an IP packet. Only the • transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header.
Views IPsec transform set view Predefined user roles network-admin Parameters md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key. sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key. aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key. aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key.
Usage guidelines The IKE profile referenced by an IPsec policy or IPsec policy template defines the parameters used for IKE negotiation. An IPsec policy or IPsec policy template can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy or IPsec policy template. Examples # Specify IPsec policy policy1 to reference IKE profile profile1.
Related commands ipsec anti-replay window ipsec anti-replay window Use ipsec anti-replay window to set the anti-replay window size. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles...
IPsec policy that is already applied to the interface. An IKE-based IPsec policy can be applied to multiple interfaces. However, HP recommends that you apply an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface.
Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.
IPsec packets, the packets will not be fragmented. In this case, make sure the MTU on each interface along the forwarding path is larger than the IPsec packet length. Otherwise, the packets are discarded. If you cannot make sure of the MTU value, HP recommends that you clear the DF bit. Examples # Set the DF bit for outer IP headers of encapsulated IPsec packets on GigabitEthernet2/1/2.
IPsec packets, the packets will not be fragmented. In this case, make sure the MTU on each interface along the forwarding path is larger than the IPsec packet length. Otherwise, the packets are discarded. If you cannot make sure of the MTU value, HP recommends that you clear the DF bit. Examples # Set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces.
Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation.
undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535.
A source interface can be bound to multiple IPsec policies. HP recommends that you use a stable interface, such as a Loopback interface, as a source interface. Examples # Bind the IPsec policy map to source interface Loopback 1 1.
Syntax ipsec profile profile-name [ manual ] undo ipsec profile profile-name Default No IPsec profile is created. Views System view Predefined user roles network-admin Parameters profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters. manual: Specifies the IPsec SA setup mode as manual.
Parameters time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires. Usage guidelines You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view.
Usage guidelines This function applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view or IPsec policy template view, which takes precedence over the global IPsec SA timeout. Examples # Set the IPsec SA idle timeout to 600 seconds.
local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address { ipv4-address | ipv6 ipv6-address } undo local-address Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address.
Views IPsec transform set view Predefined user roles network-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol. ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set.
remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } undo remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } Default No remote IP address is specified for the IPsec tunnel.
[Sysname] ip host test 2.2.2.2 In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host. # Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1. [Sysname] ipsec policy policy1 1 isakmp [Sysname -ipsec-policy-isakmp-policy1-1] remote-address test Examples...
ah: Specifies the AH protocol. • • esp: Specifies the ESP protocol. spi-num: Specifies the security parameter index in the range of 256 to 4294967295. • Usage guidelines If you do not specify any parameters, this command clears all IPsec SAs. If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPSec SAs using the other security protocol (AH or...
Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics. Examples # Clear IPsec packet statistics. <Sysname>...
# Display the routing table. You can see a created static route. (Other information is not shown.) [Sysname] display ip routing-table … Destination/Mask Proto Cost NextHop Interface 3.0.0.0/24 Static 60 1.1.1.2 GigabitEthernet2/1/1 Related commands display ip routing-table (Layer 3—IP Routing Command Reference) •...
reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The tag value is 0 for the static routes created by IPsec RRI.
Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes. Usage guidelines IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime. If the IPsec policy is not configured with the SA lifetime, IKE uses the global SA lifetime configured by the ipsec sa global-duration command for SA negotiation.
sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy or IPsec policy template. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time...
Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles.
Page 360
Default No key string is configured for IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs. ah: Uses AH. esp: Uses ESP.
# In an IPsec policy for an IPv6 routing protocol, configure the inbound and outbound SAs that use AH to use the plaintext key abcdef. <Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef [Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef Related commands display ipsec sa...
A manual IPsec policy supports only the standard mode. Examples # Reference ACL 3001 for the IPsec policy policy1. <Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Sysname-acl-adv-3001] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001 # Reference ACL 3002 for the IPsec policy policy2 and specify the data protection mode as aggregation.
decrypt-failure: Specifies SNMP notifications for decryption failures. encrypt-failure: Specifies SNMP notifications for encryption failures. global: Specifies SNMP notifications globally. invalid-sa-failure: Specifies SNMP notifications for invalid-SA failures. no-sa-failure: Specifies SNMP notifications for SA-not-found failures. policy-add: Specifies SNMP notifications for events of adding IPsec policies. policy-attach: Specifies SNMP notifications for events of applying IPsec policies to interfaces.
Page 364
Predefined user roles network-admin Parameters transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters. Usage guidelines A manual IPsec policy can reference only one IPsec transform set. If you specify an IPsec transform set for the manual IPsec policy multiple times, the most recent configuration takes effect.
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method. pre-share: Specifies the pre-shared key as the authentication method.
Page 367
Default No PKI domain is specified for IKE negotiation. Views IKE profile view Predefined user roles network-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, all PKI domains configured on the device are used for enrollment, authentication, certificate issuing, validation, and signature.
dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group.
Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals. <Sysname>...
Page 370
network-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000. remote-address: Displays detailed information about IKE SAs with the specified remote address. ipv6: Specifies an IPv6 address. remote-address: Remote IP address.
Page 371
Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Display detailed information about the IKE SA with the remote address of 4.4.4.5.
Field Description VPN instance name of the MPLS L3VPN to which the receiving interface Outside VPN belongs. VPN instance name of the MPLS L3VPN to which the protected data Inside VPN belongs. Name of the matching IKE profile found in the IKE SA negotiation. Profile If no matching profile is found, this field displays nothing.
Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. If the on-demand keyword is specified, this parameter specifies the number of seconds during • which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send. •...
Views IKE proposal view Predefined user roles network-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 128-bit key for encryption.
Usage guidelines When a user at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends specifying the aggressive mode at the local end. Examples # Specify that IKE negotiation operates in main mode.
periodic: Sends DPD messages at regular intervals. Usage guidelines DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.
Usage guidelines The global identity can be used by the device for all IKE SA negotiations. The local identity (set by the local-identity command) can be used only by the device that uses the IKE profile. In pre-shared key authentication, you cannot set the DN as the identity. In signature authentication: •...
Use caution when you enable the invalid SPI recovery feature, because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer. Examples # Enable invalid SPI recovery. <Sysname>...
Syntax ike keepalive timeout seconds undo ike keepalive timeout Default The negotiated aging time for the IKE SA applies. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800.
Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system. Examples # Set the maximum number of half-open IKE SAs to 200. <Sysname>...
Syntax ike profile profile-name undo ike profile profile-name Default No IKE profile is configured. Views System view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters. Examples # Create IKE profile 1 and enter its view. <Sysname>...
Parameters proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal. Usage guidelines During IKE negotiation: • The initiator sends its IKE proposals to the peer. If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer.
If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration. Examples # Configure the local device to always obtain the identity information from the local certificate for signature authentication.
keychain Use keychain to specify an IKE keychain for pre-shared key authentication. Use undo keychain to remove the IKE keychain reference. Syntax keychain keychain-name undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters...
Views IKE profile view Predefined user roles network-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID. dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
Views IKE keychain view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs.
Views IKE profile view Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs.
Page 389
low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } } Default No peer ID is configured for IKE profile matching. Views IKE profile view Predefined user roles network-admin Parameters certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching.
# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1. [Sysname-ike-profile-prof1] match remote identity address 10.1.1.1 Related commands local-identity pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to remove a pre-shared key. Syntax pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher cipher-key | simple simple-key }...
Usage guidelines The address option or the hostname option specifies the peer with which the device can use the pre-shared key to perform IKE negotiation. Two peers must be configured with the same pre-shared key to pass pre-shared key authentication. For security purposes, all pre-shared keys, including those configured in plain text, are saved in cipher text to the configuration file.
<Sysname> system-view [Sysname] ike keychain key1 [Sysname-ike-keychain-key1] priority 10 priority (IKE profile view) Use priority to specify a priority for an IKE profile. Use undo priority to restore the default. Syntax priority number undo priority Default The priority of an IKE profile is 100. Views IKE profile view Predefined user roles...
Views IKE profile view Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies a space-separated list of up to six IKE proposals by their numbers in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority. Usage guidelines When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation.
Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT # Delete the IKE SA with the connection ID 2. <Sysname> reset ike sa 2 # Display the current IKE SAs. <Sysname> display ike sa Total IKE SAs: Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT...
Predefined user roles network-admin Parameters Seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect. Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated.
Page 396
cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures. decrypt-failure: Specifies SNMP notifications for decryption failures. encrypt-failure: Specifies SNMP notifications for encryption failures. global: Specifies SNMP notifications globally. invalid-cert-auth: Specifies SNMP notifications for invalid-certificate-authentication failures. invalid-cookie: Specifies SNMP notifications for invalid-cookie failures. invalid-id: Specifies SNMP notifications for invalid-ID failures.
SSH commands Some MSR routers support the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH server key generating interval SSH server key pair update interval. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions.
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Predefined user roles network-admin Examples # Enable the SFTP server function. <Sysname> system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.
Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL number in the range of 2000 to 4999. Usage guidelines You can use this command to filter the IPv4 SSH clients' request packets by referencing an ACL: If the ACL has rules configured, only the IPv4 SSH clients whose request packets match the permit...
Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at the next login.
You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 Related commands display ssh server ssh server compatible-ssh1x enable...
undo ssh server dscp Default The DSCP value in IPv4 packets sent by the SSH server is 48. Views System view Predefined user roles network-admin Parameters dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63. Usage guidelines The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet.
ssh server ipv6 acl Use ssh server ipv6 acl to control access to the IPv6 SSH server. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl [ ipv6 ] acl-number undo ssh server ipv6 acl Default An SSH server allows all IPv6 SSH clients to access the server.
ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 packets that the SSH server sends to the SSH clients. Use undo ssh server ipv6 dscp to restore the default. Syntax ssh server ipv6 dscp dscp-value undo ssh server ipv6 dscp Default The DSCP value in IPv6 packets sent by the SSH server is 48.
Parameters hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours. Usage guidelines This command is not available in FIPS mode. Updating the RSA server key pair periodically can prevent malicious hacking to the key pair and enhance security of the SSH connections.
Page 408
scp: Specifies the service type as SCP. • • sftp: Specifies the service type as SFTP. stelnet: Specifies the service type as Stelnet. • authentication-type: Specifies an authentication method for an SSH user: password: Specifies password authentication. This authentication method features easy and fast •...
If the authentication method is publickey or password-publickey, the working directory is specified • by the authorization-attribute command in the associated local user view. For an SSH user, the user role also depends on the authentication method: If the authentication method is password, the user role is authorized by the remote AAA server or •...
Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the name of a path on the server. Usage guidelines You can use the cd ..
sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp> delete Use delete to delete a file from the SFTP server. Syntax delete remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies a file to delete from the server.
Usage guidelines If the –a and –l keywords are not specified, the command displays the names of the files and subdirectories under a directory. This command functions as the ls command. Examples # Display detailed information about the files and subdirectories under the current working directory. sftp>...
Related commands sftp client ipv6 source • sftp client source • display ssh client source Use display ssh client source to display the source IP address or source interface configured for the Stelnet client. Syntax display ssh client source Views Any view Predefined user roles network-admin...
Use get to download a file from an SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file.
Page 415
information of the file exit Quit sftp get remote-path [local-path] Download file help Display this help text ls [-a|-l][path] Display remote directory List all filenames List filename including the specific information of the file mkdir path Create remote directory put local-path [remote-path] Upload file Display remote working directory quit Quit sftp...
sftp> ls -a drwxrwxrwx 512 Dec 18 14:12 . drwxrwxrwx 512 Dec 18 14:12 .. -rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx 301 Dec 18 14:12 012.pub sftp> ls -l -rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx...
sftp> put startup.bak startup01.bak Uploading startup.bak to /startup01.bak startup01.bak 100% 1424 1.4KB/s 00:00 Use pwd to display the current working directory of an SFTP server. Syntax Views SFTP client view Predefined user roles network-admin Examples # Display the current working directory of the SFTP server. sftp>...
Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies a file to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp> remove temp.c Removing /temp.c rename Use rename to change the name of a file or directory on an SFTP server.
Predefined user roles network-admin Parameters remote-path: Specifies a directory to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 Use scp to establish a connection to an IPv4 SCP server and transfer files with the server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name...
Page 420
identity-key: Specifies a public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified. dsa: Specifies the public key algorithm dsa. • rsa: Specifies the public key algorithm rsa. •...
Usage guidelines In publickey authentication, the client must get the local private key for digital signature. Because the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm by using the identity-key keyword. In this way, the client can get the correct local private key. Examples # Connect an SCP client to the SCP server 200.1.1.1.
Page 422
-i interface-type interface-number: Specifies an output interface by its type and number. This option is only used when the server uses a link-local address. The specified output interface on the client must have a link-local address. get: Downloads the file. put: Uploads the file.
Specify the loopback interface as the source interface. • • Specify the IPv6 address of the loopback interface as the source IPv6 address. interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets. ipv6 ipv6-address: Specifies a source IPv6 address.
Page 424
Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Specify the loopback interface or dialer interface as the source interface. • • Specify the IP address of the loopback interface or dialer interface as the source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address of the SFTP packets.
This command takes effect on all IPv6 SFTP connections. The source IPv6 address specified in the sftp ipv6 command takes effect only on the current IPv6 SFTP connection. If you specify the source IPv6 address both in this command and the sftp ipv6 command, the source IPv6 address specified in the sftp ipv6 command takes effect.
Related commands display sftp client source sftp ipv6 Use sftp ipv6 to connect an SFTP client to an IPv6 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 |...
Page 428
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time. • 3des: Specifies the encryption algorithm 3des-cbc. aes128: Specifies the encryption algorithm aes128-cbc. •...
ssh client source Use ssh client source to specify the source IPv4 address for SSH packets. Use undo ssh client source to restore the default. Syntax ssh client source { interface interface-type interface-number | ip ip-address } undo ssh client source Default The source IP address for SSH packets is not configured.
dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. • • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1. dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets sent by the SSH client, in the range of 0 to 63.
Page 434
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1 • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSL server policy configuration commands ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Page 436
exp_rsa_rc4_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC4, and the MAC algorithm MD5. rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 3DES_EDE_CBC, and the MAC algorithm SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES_CBC, and the MAC algorithm SHA.
client-verify enable Use client-verify enable to enable the SSL server to use digital certificates to authenticate clients. Use undo client-verify enable to restore the default. Syntax client-verify enable undo client-verify enable Default The SSL server does not authenticate SSL clients. Views SSL server policy view Predefined user roles...
network-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, the command displays information about all SSL server policies. Examples # Display information about the SSL server policy policy1. <Sysname>...
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain Related commands display ssl server-policy • pki domain • session cachesize Use session cachesize to set the maximum number of sessions that the SSL server can cache. Use undo session cachesize to restore the default. Syntax session cachesize size undo session cachesize...
Syntax ssl server-policy policy-name undo ssl server-policy policy-name Default No SSL server policy exists on the device. Views System view Predefined user roles network-admin Parameters policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters. Usage guidelines This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits.
prefer-cipher Use prefer-cipher to specify a preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default. Syntax In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher In FIPS mode:...
rsa_rc4_128_md5: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm MD5. rsa_rc4_128_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm SHA. Usage guidelines SSL employs the following algorithms: •...
Predefined user roles network-admin Usage guidelines The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide. If you execute the server-verify enable command, an SSL server must send its own digital certificate to the SSL client for authentication.
[Sysname-ssl-client-policy-policy1] Related commands display ssl client-policy version Use version to specify an SSL version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0 undo version Default...
ASPF commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. aspf apply policy Use aspf apply policy to apply an ASPF policy to an interface. Use undo aspf apply policy to remove an ASPF policy application from an interface.
aspf policy Use aspf policy to create an ASPF policy and enter its view. Use undo aspf policy to remove an ASPF policy. Syntax aspf policy aspf-policy-number undo aspf policy aspf-policy-number Default No ASPF policy exists. Views System view Predefined user roles network-admin Parameters aspf-policy-number: Assigns a number to the ASPF policy.
Page 448
For a multi-channel protocol, if you enable TCP or UDP inspection without configuring application layer protocol inspection, the device might not be able to receive response packets. HP recommends that you enable application layer protocol inspection together with TCP/UDP inspection.
display aspf all Use display aspf all to display the configuration of all ASPF policies and their applications. Syntax display aspf all Views Any view Predefined user roles network-admin network-operator Examples # Display the configuration of all ASPF policies and their applications. <Sysname>...
Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default The ICMP error message check is disabled. Views ASPF policy view Predefined user roles network-admin Usage guidelines An ICMP error message carries information about the corresponding connection. ICMP error message check verifies the information.
Related commands display aspf session tcp syn-check Use tcp syn-check to enable TCP SYN check. TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet. Use undo tcp syn-check to restore the default.
APR commands app-group Use app-group to create an application group and enter application group view. Use undo app-group to remove the specified application group. Syntax app-group group-name undo app-group group-name Default Multiple pre-defined application groups exist on the device. Views System view Predefined user roles network-admin...
Page 458
Syntax application statistics enable [ inbound | outbound ] undo application statistics enable [ inbound | outbound ] Default The application statistics function is disabled on an interface. Views Layer 3 interface view Predefined user roles network-admin Parameters inbound: Specifies the inbound direction of the interface. outbound: Specifies the outbound direction of the interface.
copy app-group Use copy app-group to copy all application protocols in an application group to another group. Syntax copy app-group group-name Views Application group view Predefined user roles network-admin Parameters group-name: Specifies the name of the source application group, a case-insensitive string of 1 to 63 characters.
Parameters group-description: Configures a description for the user-defined application group. It is a case-sensitive string of 1 to 127 characters. Spaces are allowed. Examples # Configure a description for the application group aaa. <Sysname> system-view [Sysname] app-group aaa [Sysname-app-group-aaa] description User defined aaa group Related commands app-group display app-group...
app1 User-defined 0x80000001 bapp3 User-defined 0x80000006 pop3 Pre-defined 0x00000e75 smtp Pre-defined 0x00001135 Table 57 Command output Field Description Group name Application group name. Group ID Application group ID. Application protocol or application group attribute: • Type Pre-defined. • User-defined. Number of application protocols in the application Application count group.
Page 463
Examples # Display information about all pre-defined application protocols. <Sysname> display application pre-defined Pre-defined count: Application name Type App ID Tunnel Encrypted ambit-lm Pre-defined 0x000000b9 amdsched Pre-defined 0x000000ba amidxtape Pre-defined 0x000000bb amiganetfs Pre-defined 0x000000bc aminet Pre-defined 0x000000bd Pre-defined 0x000000be amt-soap-https Pre-defined 0x000000cc appserv-http...
l2c-connect Pre-defined 0x000009b6 l2c-info Pre-defined 0x000009b7 l2tp Pre-defined 0x000009b8 l3-exprt Pre-defined 0x000009b9 l3-hawk Pre-defined 0x000009ba # Display information about the application protocol Telnet. <Sysname> display application name telnet Application name: telnet Application ID: 0x000012b7 Tunnel: Encrypted: Table 58 Command output Field Description Total count...
Page 465
Views User view Predefined user roles network-admin network-operator Parameters direction: Specifies the direction of the interface. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. interface interface-type interface-number: Specifies an interface by its type and number. name application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters.
Table 59 Command output Field Description Interface Interface name. Application Name of the application protocol. Interface direction: • In/Out • Out. Packets Number of packets received or sent by the interface. Bytes Number of bytes received or sent by the interface. Packets received or sent per second.
Page 468
The system uses the sum of inbound and outbound statistics to rank the application protocols. If the sum statistics for multiple application protocols is the same, the system displays these protocols in alphabetical order. Examples # Display the top three application protocols that have received and sent the most packets on interface GigabitEthernet 2/1/1.
tftp Table 61 Command output Field Description Application Application protocol using the port mapping. Protocol Transport layer protocol. Port number to which the application protocol is Port mapped. Related commands display port-mapping • port-mapping • display port-mapping user-defined Use display port-mapping user-defined to display information about the user-defined port mappings. Syntax display port-mapping user-defined [ application application-name | port port-number ] Views...
Table 62 Command output Field Description Application Application protocol using port mapping. Port Port number to which the application protocol is mapped. Protocol Transport layer protocol. Match types: • ---—No match types or match conditions are specified, and all packets that have the specified port are recognized as the packets of the specified application protocol.
Parameters application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. Valid characters include digits, letters, hyphens (-), and underlines (_). "invalid" or "other" are not allowed. Usage guidelines Execute this command multiple times to add multiple pre-defined or user-defined application protocols to a user-defined application group.
sctp: Specifies SCTP. • • tcp: Specifies TCP. udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. • Usage guidelines If no transport layer protocol is specified, packets encapsulated by any transport layer protocol and that have the specified port are recognized as the specified application protocol's packets. If the destination port of a packet matches a general port mapping, APR recognizes the packet as the specified application protocol's packet.
sctp: Specifies SCTP. • • tcp: Specifies TCP. udp: Specifies UDP. • udp-lite: Specifies UDP-Lite. • acl [ ipv6 ] acl-number: Specifies the number of an ACL, in the range of 2000 to 2999. To specify an IPv6 ACL, include the ipv6 keyword. To specify an IPv4 ACL, do not include the ipv6 keyword. Usage guidelines If you do not specify a transport layer protocol, all packets encapsulated by the transport layer protocols and that have the specified port are recognized as the specified application protocol's packets.
protocol protocol-name: Specifies a transport layer protocol by its name, including: • dccp: Specifies DCCP. sctp: Specifies SCTP. • tcp: Specifies TCP. • • udp: Specifies UDP. udp-lite: Specifies UDP-Lite. • { ip | ipv6 } start-ip-address [ end-ip-address ]: Specifies a range of IPv4 or IPv6 addresses. The ip keyword specifies the IPv4 addresses, and the ipv6 keyword specifies the IPv6 addresses.
Page 476
undo port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ] Default An application protocol is mapped to a well-known port. Views System view Predefined user roles network-admin Parameters...
[Sysname] port-mapping application ftp port 3456 subnet ip 1.1.1.0 24 # Create a mapping of port 3456 to FTP for the packets sent to the IPv6 hosts on subnet 1:: /120. <Sysname> system-view [Sysname] port-mapping application ftp port 3456 subnet ipv6 1:: 120 Related commands display port-mapping user-defined reset application statistics...
Session management commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display session aging-time application Use display session aging-time application to display the aging time for sessions of different application layer protocols.
Table 63 Command output Field Description Application Application layer protocol. Aging Time(s) Aging time in seconds. Related commands application aging-time display session aging-time state Use display session aging-time stat to display the aging time for sessions in different protocol states. Syntax display session aging-time state Views...
Table 65 Command output Field Description Source IP address and port number of the session. If the IP or port number is not specified, this field displays a hyphen (-). Source IP/port For an IPv6 relation entry, the source port number is not displayed. Destination IP/port Destination IP address and port number of the session.
Field Description Number of Raw IP sessions and number of Raw IP sessions in RAWIP sessions different states. Current relation-table entries Total number of relation entries. Session establishment rate, and rates for establishing sessions of Session establishment rate different protocols. Received TCP Number of received TCP packets and packet bytes.
Page 485
destination-ip destination-ip: Specifies a destination IP address. The destination-ip argument specifies the destination IP address of a session from the initiator to the responder. verbose: Displays detailed information about session entries. If you do not specify this keyword, this command displays brief information about session entries. Usage guidelines If no parameter except IPv4 or IPv6 is specified, this command displays all IPv4 or IPv6 session entries.
Page 489
Interface(in) : GigabitEthernet2/1/1 Interface(out): GigabitEthernet2/1/2 Initiator->Responder: 1 packets 104 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 1 Table 67 Command output Field Description Initiator Information about the session from the initiator to the responder. Responder Information about the session from the responder to the initiator. Address of the DS-Lite tunnel peer.
Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If no card is specified, this command clears session statistics for all cards. (MSR4000.) Examples # Clear all session statistics. <Sysname> reset session statistics Related commands display session statistics reset session relation-table Use reset session relation-table to clear relation entries.
session aging-time application Use session aging-time application to set the aging time for sessions of an application layer protocol. Use undo session aging-time application to restore the default. If no application layer protocol is specified, this command restores the default aging time for all sessions of the supported application layer protocols.
ras: Specifies the RAS protocol. rtsp: Specifies the Real Time Streaming Protocol (RTSP) protocol. sip: Specifies the Session Initiation Protocol (SIP) protocol. tftp: Specifies the TFTP protocol. ils: Specifies the Internet Locator Service (ILS) protocol. mgcp: Specifies the Media Gateway Control Protocol (MGCP) protocol. nbt: Specifies the NetBIOS over TCP/IP (NBT) protocol.
Page 496
Default The aging time for sessions in different protocol states is as follows: TCP SYN-SENT and SYN-RCV: 30 seconds. • • TCP ESTABLISHED: 3600 seconds. FIN_WAIT: 30 seconds. • UDP-OPEN: 30 seconds. • UDP-READY: 60 seconds. • ICMP-REQUEST: 60 seconds. •...
session log bytes-active Use session log bytes-active to set the byte-based threshold for traffic-based logging. Use undo session log bytes-active to restore the default. Syntax session log bytes-active bytes-value undo session log bytes-active Default The device does not output session logs based on the byte-based threshold. Views System view Predefined user roles...
Views Interface view Predefined user roles network-admin Parameters ipv4: Logs IPv4 sessions. ipv6: Logs IPv6 sessions. acl acl-number: Specifies an ACL by its number in the range of 2000 to 3999. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. Usage guidelines If no ACL is specified, this command enables session logging for all IPv4 or IPv6 sessions on the interface.
Syntax session log packets-active packets-value undo session log packets-active Default The device does not output session logs based on the packet-based threshold. Views System view Predefined user roles network-admin Parameters packets-value: Sets the packet-based threshold in the range of 1 to 1000 mega-packets. Usage guidelines If you set both the traffic-based and time-based logging, the device outputs a session log when whichever is reached.
Parameters time-value: Sets the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10. Usage guidelines If you set both time-based and traffic-based logging, the device outputs a session log when whichever is reached.
Page 501
Aging time for sessions of application layer protocols. • • Aging time for sessions in different protocol states. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries. Examples # Specify IPv4 ACL 2000 for identifying persistent sessions and set the aging time to 72 hours, so that the IPv4 sessions that permitted by ACL 2000 are persistent sessions with the aging time as 72 hours.
Connection limit commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. connection-limit apply Use connection-limit apply to apply a connection limit policy to an interface. Use undo connection-limit apply to remove the application.
connection-limit apply global Use connection-limit apply global to apply a connection limit policy globally. Use undo connection-limit apply global to remove the application. Syntax connection-limit apply global { ipv6-policy | policy } policy-id undo connection-limit apply global { ipv6-policy | policy } Default No connection limit policy is applied globally.
Default No connection limit policy exists. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 connection limit policy. policy: Specifies an IPv4 connection limit policy. policy-id: Specifies a connection limit policy by its ID, in the range of 1 to 32. An IPv4 or IPv6 connection limit policy has its own number.
Page 505
policy-id: Specifies a connection limit policy by its ID in the range of 1 to 32. all: Specifies all connection limit policies. Examples # Display information about all IPv4 connection limit policies. <Sysname> display connection-limit policy all 3 policies in total: Policy Rule Stat Type...
Page 506
3020 100000 89000 2005 # Display information about the IPv6 connection limit policy 3. <Sysname> display connection-limit ipv6-policy 3 IPv6 connection limit policy 3 has been applied 3 times, and has 2 limit rules. Limit rule list: Policy Rule Stat Type HiThres LoThres --------------------------------------------------------------------------------...
display connection-limit ipv6-stat-nodes Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections that match connection limit rules globally or on an interface. Syntax MSR1000/MSR2000/MSR3000: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] MSR4000: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ destination destination-ip | service-port port-number | source source-ip ] * [ count ]...
Page 508
If you specify none of the source source-ip, destination destination-ip, and service-port port-number options, this command displays statistics about all IPv6 connections that match connection limit rules. Examples # (MSR1000/MSR2000/MSR3000.) Display statistics about all IPv6 connections that match the connection limit rule on GigabitEthernet 2/1/1. <Sysname>...
<Sysname> display connection-limit ipv6-stat-nodes interface vlan-interface 10 slot 2 count Slot 2: Current limit statistic nodes count is 1. Table 69 Command output Field Description Src IP address Source IPv6 address. Dst IP address Destination IPv6 address. MPLS L3VPN to which the IP address belongs. "---" indicates that IP address is on the VPN instance public network.
Parameters global: Displays the global connection limit statistics. interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card or virtual interface by its slot number. This option is available only when you specify the global keyword or specify a virtual interface (such as a VLAN interface or tunnel interface).
Page 511
display connection-limit stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] Views User view Predefined user roles network-admin network-operator Parameters global: Displays statistics about IPv4 connections that match connection limit rules globally. interface interface-type interface-number: Specifies an interface by its type and number.
Page 512
DS-Lite tunnel peer : -- Service : tcp/12345 Limit rule ID : 12345(ACL: 3001) Sessions threshold Hi/Lo: 1100000/980000 Sessions count : 1050000 New session flag : Permit # (MSR1000/MSR2000/MSR3000.) Display statistics about all IPv4 connections that match the connection limit rule on VLAN-interface 2. <Sysname>...
Field Description Dst IP address Destination IP address. MPLS L3VPN to which the IP address belongs. "---" indicates that IP address is on the VPN instance public network. ID of DS Lite Tunnel. "---" indicates that the connection does not belong to any DS Lite DS-Lite tunnel peer Tunnel.
Page 514
ipv6: References an IPv6 ACL. If this keyword is not specified, an IPv4 ACL is referenced. This keyword exists only in IPv6 connection limit policy view. acl-number: Specifies an ACL by its number in the range of 2000 to 3999. name acl-name: Specifies an ACL by its name.
[Sysname-acl6-basic-2001] rule permit source 2:1::/96 [Sysname-acl6-basic-2001] quit Limit connections that match ACL 2001 by the source and destination IP addresses, with the upper limit 200 and lower limit 100. [Sysname] connection-limit ipv6-policy 12 [Sysname-connlmt-ipv6-policy-12] limit 2 acl ipv6 2001 per-destination amount 200 100 Verify that when the connection number exceeds 200, new connections cannot be established until the connection number drops below 100.
Object group commands description Use description to configure a description for an object group. Use undo description to delete the description for an object group. Syntax description text undo description Default An object group does not have a description. Views Object group view Predefined user roles network-admin...
Page 517
ipv6 address: Specifies the IPv6 address object group. port: Specifies the port object group. service: Specifies the service object group. default: Specifies the default object group. name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 31 characters.
0 network host address 1.1.1.1 10 network host name host 20 network subnet 1.1.1.1 255.255.255.0 30 network range 1.1.1.1 1.1.1.2 40 network group-object obj1 # Display information about all IPv4 object groups. <Sysname> display object-group ip address Ip address object-group obj1: 0 object(in use) Ip address object-group obj2: 5 objects(out of use) 0 network host address 1.1.1.1 10 network host name host...
Page 519
Predefined user roles network-admin Parameters Object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.
# Configure an IPv4 address object with the host name of pc3. <Sysname> system-view [Sysname] object-group ip address ipgroup [Sysname-obj-grp-ip-ipgroup] network host name pc3 # Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask length of 24. <Sysname>...
Page 521
address ipv6-address: Specifies an IPv6 host address. name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters. subnet ipv6-address prefix-length: Configures an IPv6 address object with the subnet address followed by the prefix length in the range of 1 to 128. range ipv6-address1 ipv6-address2: Configures an IPv6 address object with the address range starting with ipv6-address1 and ending with ipv6-address2 group-object object-group-name: Specifies an IPv6 address object group to be referenced by its name,...
# Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100 <Sysname> system-view [Sysname] object-group ipv6 address ipv6group [Sysname-obj-grp-ipv6-ipv6group] network range 1:1:1::1 1:1:1::100 # Configure an IPv6 address object referencing object group ipv6group2. <Sysname> system-view [Sysname] object-group ipv6 address ipv6group [Sysname-obj-grp-ipv6-ipv6group] network group-object ipv6group2 object-group Use object-group to configure an object group and enter the object group view.
If the specified group exists but the group type is different from that in the command, the command • fails. If the specified object group is being referenced by an ACL, object policy, or object group, the • command fails. Examples # Configure an IPv4 address object group named ipgroup.
Page 524
range port1 port2: Configures a port object with a port range starting with port1 and ending with port2. The value range for the port1 and port2 arguments is 0 to 65535. group-object object-group-name: Specifies a port object group to be referenced by its name, a case-insensitive string of 1 to 31 characters.
<Sysname> system-view [Sysname] object-group port portgroup [Sysname-obj-grp-port-portgroup] port gt 60000 # Configure a port object with a port number in the range of 1000 to 2000. <Sysname> system-view [Sysname] object-group port portgroup [Sysname-obj-grp-port-portgroup] port range 1000 2000 # Configure a port object referencing object group portgroup2. <Sysname>...
Page 526
port: Specifies a port number in the range of 0 to 65535. range port1 port2: Configures a service object with a port range starting with port1 and ending with port2. The value range for the port1 and port2 arguments is 0 to 65535. icmp-type icmp-code: Configures the ICMP message type in the range of 0 to 255, and the message code in the range of 0 to 255.
Page 527
# Configure a service object with the source and destination port numbers for the TCP service. <Sysname> system-view [Sysname] object-group service servicegroup [Sysname-obj-grp-service-servicegroup] service tcp source eq 100 destination range 10 100 # Configure a service object with the message type and code for the ICMP service. <Sysname>...
IP source guard commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The IP source guard commands are supported on the following hardware: MSR routers installed with the Layer 2 switching module HMIM-24GSW/24GSWP or •...
Page 529
vlan vlan-id: Displays IPv4 source guard binding entries for a VLAN. The vlan-id argument specifies the VLAN ID in the range of 1 to 4094. interface interface-type interface-number: Displays IPv4 source guard binding entries on an interface. The interface-type interface-number argument specifies the interface type and the interface number. slot slot-number: Specifies the number of the slot that holds the card.
Total entries found: 2 IPv6 Address MAC Address Interface VLAN Type 2012:1222:2012:1222: 000f-2202-0435 GE2/1/1 DHCPv6 snooping 2012:1222:2012:1222 2012:1222:2012:1222: 000f-2202-0436 GE2/1/1 Static 2012:1222:2012:1223 Table 74 Command output Field Description Total entries found Total number of IPv6 source guard binding entries. IPv6 address in the IPv6 source guard binding entry. If no IPv6 address is IPv6 Address bound in the entry, this field displays N/A.
Parameters all: Removes all the static IPv4 source guard binding entries on the interface. ip-address ip-address: Specifies an IPv4 address for the static binding entry. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address. mac-address mac-address: Specifies a MAC address for the static binding entry.
Parameters ip-address: Filters incoming packets by source IPv4 addresses. ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses. mac-address: Filters incoming packets by source MAC addresses. Usage guidelines This command enables both static and dynamic IPv4 source guard on the interface. Dynamic IP source guard obtains user information from other modules to generate dynamic binding entries, and uses the entries to filter incoming packets based on the matching criteria.
Predefined user roles network-admin Parameters all: Removes all the static IPv6 source guard binding entries on the interface. ip-address ipv6-address: Specifies an IPv6 address for the static binding entry. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address. mac-address mac-address: Specifies a MAC address for the static binding entry.
Page 535
Predefined user roles network-admin Parameters ip-address: Filters incoming packets by source IPv6 addresses. ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses. mac-address: Filters incoming packets by source MAC addresses. Usage guidelines This command enables both static and dynamic IPv6 source guard on the interface. Dynamic IPv6 source guard obtains information from DHCPv6 snooping entries to generate dynamic binding entries, and uses the entries to filter incoming packets based on the matching criteria.
ARP attack protection commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing.
Use undo arp source-suppression enable to restore the default. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression function is disabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways. Examples # Enable the ARP source suppression function.
Examples # Set the maximum number of unresolvable packets that can be received from a device in 5 seconds to 100. <Sysname> system-view [Sysname] arp source-suppression limit 100 Related commands display arp source-suppression. display arp source-suppression Use display arp source-suppression to display information about the current ARP source suppression configuration.
undo arp source-mac [ filter | monitor ] Default The source MAC-based ARP attack detection function is disabled. Views System view Predefined user roles network-admin Parameters filter: Generates log messages and discards subsequent ARP packets from the MAC address. monitor: Only generates log messages. Usage guidelines Configure this feature on the gateways.
Views System view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000. Examples # Configure the threshold for source MAC-based ARP attack detection as 30. <Sysname> system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack...
Views System view Predefined user roles network-admin Parameters Strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing. In strict mode, a gateway can learn an entry only when ARP active acknowledgement is successful based on the correct ARP resolution.
ARP detection commands This feature is available on only the routers installed with Layer 2 switching modules. arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default. Syntax arp detection enable undo arp detection enable Default ARP detection is disabled.
[Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.
Parameters interface interface-type interface-number: Displays the ARP detection statistics of the specified interface. Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all interfaces.
Layer 3 aggregate interface/subinterface view VLAN interface view Predefined user roles network-admin Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
undo arp filter source ip-address Default ARP gateway protection is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on an interface. You cannot configure both arp filter source and arp filter binding commands on the same interface.
Page 551
Usage guidelines You can configure up to eight ARP permitted entries on an interface. You cannot configure both the arp filter source and arp filter binding commands on the same interface. Examples # Configure an ARP permitted entry. <Sysname> system-view [Sysname] interface gigabitethernet 2/1/1 [Sysname-GigabitEthernet2/1/1] arp filter binding 1.1.1.1 2-2-2...
IPv4 uRPF commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. display ip urpf Use display ip urpf to display uRPF configuration. Syntax MSR1000/MSR2000/MSR3000: display ip urpf [ interface interface-type interface-number ]...
Check type: strict Allow default route Link check Suppress drop ACL: 3000 Table 77 Command output Field Description uRPF configuration information of interface uRPF configuration on the interface. Check type uRPF check mode: loose or strict. Allow default route Allow use of the default route. Link check Link layer check is enabled.
Page 554
Configure strict uRPF check on a PE interface connected to a CE, and configure loose uRPF check on a PE interface connected to another ISP. For asymmetrical routing where the interface receiving upstream traffic is different from the interface forwarding downstream traffic on a PE device, configure loose uRPF to avoid discarding valid packets. If the two interfaces are the same (symmetrical routing), configure strict uRPF.
IPv6 uRPF configuration information of interface GigabitEthernet2/1/1: Check type: loose Allow default route Suppress drop ACL: 2000 Table 78 Command output Field Description IPv6 uRPF configuration information of interface IPv6 uRPF configuration on the interface. Check type IPv6 uRPF check mode: loose or strict. Allow default route Allow use of the default route.
Page 557
For asymmetrical routing where the interface receiving upstream traffic is different from the interface forwarding downstream traffic on a PE device, configure loose IPv6 uRPF to avoid discarding valid packets. If the two interfaces are the same (symmetrical routing), configure strict IPv6 uRPF. An ISP usually adopts symmetrical routing on a PE device.
IPsec services, enabling or disabling hardware crypto engines affects only newly established IPsec SAs. The existing IPsec SAs still use the previously selected crypto engine for data encryption. HP recommends that you use the reset ipsec sa command to delete all existing IPsec SAs before you enable or disable hardware crypto engines.
Field Description Crypto engine types: • Crypto engine type Hardware. • Software. Slot ID ID of the LPU that holds the crypto engine. CPU ID ID of the CPU that holds the crypto engine. Symmetric algorithms Supported symmetric algorithms. Asymmetric algorithms Supported asymmetric algorithms.
Page 562
Views Any view Predefined user roles network-admin Parameters engine-id engine-id: Specifies a crypto engine by its ID in the range of 0 to 4294967295. If you do not specify a crypto engine, this command clears statistics for all crypto engines. slot slot-number: Specifies a card by its slot number.
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 564
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: Automatic reboot • Select the automatic reboot method. The system automatically performs the following tasks: Create a default FIPS configuration file named fips-startup.cfg. Specify the default file as the startup configuration file.
Examples # Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode. <Sysname> system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Page 566
Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots.
Page 567
Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user-space passed. Starting Known-Answer tests in the kernel. Known-answer test for SHA1 passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for AES passed.
Page 568
Known-answer test for HMAC-SHA1 passed. Known-answer test for HMAC-SHA224 passed. Known-answer test for HMAC-SHA256 passed. Known-answer test for HMAC-SHA384 passed. Known-answer test for HMAC-SHA512 passed. Known-answer test for AES passed. Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed.
Attack detection and prevention commands In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24, MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. ack-flood action Use ack-flood action to specify global actions against ACK flood attacks. Use undo ack-flood action to restore the default.
ack-flood threshold Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention. Use undo ack-flood threshold to restore the default. Syntax ack-flood threshold threshold-value undo ack-flood threshold Default The global threshold is 1000 for triggering ACK flood attack prevention. Views Attack defense policy view Predefined user roles...
Default No attack defense policy is applied to any interface. Views Layer 3 interface view Predefined user roles network-admin Parameters policy-name: Specifies the name of an attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines Applying an attack defense policy to a device can improve the efficiency of processing attack packets destined for the device. Each device can have only one attack defense policy applied. If you use this command multiple times, the most recent configuration takes effect.
Source and destination IP addresses. • VPN instance. • HP recommends that you disable non-aggregated log output. A large number of logs will consume the display resources of the console. Examples # Enable non-aggregated log output for single-packet attack events.
Syntax blacklist enable undo blacklist enable Default The blacklist function on an interface is disabled. Views Layer 3 interface view Predefined user roles network-admin Usage guidelines If the global blacklist function is enabled, the blacklist function is enabled on all interfaces. If the global blacklist function is disabled, you must use this command to enable the blacklist function on individual interfaces.
Examples # Enable the global blacklist function. <Sysname> system-view [Sysname] blacklist global enable Related commands blacklist enable • blacklist ip • blacklist ip Use blacklist ip to add an IPv4 blacklist entry. Use undo blacklist ip to delete a manually added IPv4 blacklist entry. Syntax blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ timeout minutes ] undo blacklist ip source-ip-address [ vpn-instance vpn-instance-name ]...
blacklist logging enable Use blacklist logging enable to enable logging for the blacklist function. Use undo blacklist logging enable to disable logging for the blacklist function. Syntax blacklist logging enable undo blacklist logging enable Default Logging is disabled for the blacklist function. Views System view Predefined user roles...
blacklist ipv6 • client-verify dns enable Use client-verify dns enable to enable DNS client verification on an interface. Use undo client-verify dns enable to restore the default. Syntax client-verify dns enable undo client-verify dns enable Default DNS client verification is disabled on an interface. Views Layer 3 interface view Predefined user roles...
Default HTTP client verification is disabled on an interface. Views Layer 3 interface view Predefined user roles network-admin Usage guidelines Enable HTTP client verification on the interface that connects to the external network. This function protects internal HTTP servers against HTTP flood attacks. To configure the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action.
Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. destination-ip-address: Specifies the IPv4 address to be protected. All connection requests destined for this address are verified by the client verification function. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs.
Predefined user roles network-admin Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. destination-ipv6-address: Specifies the IPv6 address to be protected. All connection requests destined for this address are verified by the client verification function. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs.
Parameters mode: Specifies a working mode for the TCP client verification function. If you do not specify this keyword, the SYN cookie mode is used. syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled. safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled. Usage guidelines Enable TCP client verification on the interface that connects to the external network to check incoming packets.
Page 586
IP address Detected on Detect type State Dropped 192.168.100.221 a0123456789 GE2/1/2 SYN-ACK-FLOOD Normal 1000 4294967295 201.55.7.45 GE2/1/2 SYN-ACK-FLOOD Normal 1000 111111111 192.168.11.5 GE2/1/3 ACK-FLOOD Normal 1000 222222222 201.55.7.44 GE2/1/4 DNS-FLOOD Normal 1000 111111111 192.168.11.4 GE2/1/5 ACK-FLOOD Normal 1000 22222222 # (MSR4000.) Display flood attack detection and prevention statistics for all IPv4 addresses. <Sysname>...
Field Description Dropped Number of attack packets dropped by the interface or the device. Totally 2 flood entries Total number of IPv4 addresses that are protected. display attack-defense flood statistics ipv6 Use display attack-defense flood statistics ipv6 to display flood attack detection and prevention statistics for a protected IPv6 address.
Page 588
slot slot-number: Specifies a card by its slot number. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If no card is specified, this command displays IPv6 flood attack detection and prevention statistics on all cards. (MSR4000.) count: Displays the number of matching protected IPv6 addresses.
Table 82 Command output Field Description IPv6 address Protected IPv6 address. MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). Detected on Where the attack is detected, on the device (Local) or an interface. Detect type Type of the detected flood attack.
Page 590
Policy name : abc Applied list : GE2/1/1 Vlan1 -------------------------------------------------------------------------- Exempt IPv4 ACL: : Not configured Exempt IPv6 ACL: : vip -------------------------------------------------------------------------- Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None Signature attack defense configuration: Signature name Defense Level Actions Fragment Enabled Info Impossible...
Page 591
ICMP timestamp reply Disabled Info ICMP information request Disabled Info ICMP information reply Disabled Medium ICMP address mask request Disabled Medium ICMP address mask reply Disabled Medium ICMPv6 echo request Enabled Medium ICMPv6 echo reply Disabled Medium ICMPv6 group membership query Disabled Medium ICMPv6 group membership report...
Page 592
Field Description Exempt IPv4 ACL IPv4 ACL used for attack detection exemption. Exempt IPv6 ACL IPv6 ACL used for attack detection exemption. Attack prevention actions: • CV—Client verification. • BS—Blocking sources. Actions • L—Logging. • D—Dropping packets. • N—No action. Signature attack defense Configuration information about single-packet attack detection and configuration...
Page 593
Field Description Global prevention actions against the flood attack: • D—Dropping packets. • Global actions L—Logging. • CV—Client verification. • -—Not configured. Ports that are protected against the flood attack. This field is displays port Service ports numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).
Related commands attack-defense policy display attack-defense policy ip Use display attack-defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention. Syntax MSR1000/MSR2000/MSR3000: display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ count ] MSR4000:...
Page 595
slot slot-number: Specifies a card by its slot number. If no card is specified, this command displays information about IPv4 addresses protected by flood attack detection and prevention on all cards. (MSR4000.) count: Displays the number of matching IPv4 addresses protected by flood attack detection and prevention.
Field Description MPLS L3VPN instance to which the protected IPv4 address belongs. If the VPN instance protected IPv4 address is on the public network, this field displays hyphens (--). Type Type of the flood attack. Threshold for triggering the flood attack prevention, in units of packets sent Rate threshold(PPS) to the IP address per second.
Page 597
syn-flood: Specifies SYN flood attack. udp-flood: Specifies UDP flood attack. Ipv6-address: Specifies a protected IPv6 address. If no IPv6 address is specified, this command displays information about all protected IPv6 addresses. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Table 86 Command output Field Description Totally 3 flood protected IP Total number of the IPv6 addresses protected by flood attack detection and addresses prevention. IPv6 address Protected IPv6 address. MPLS L3VPN instance to which the protected IPv6 address belongs. If the VPN instance protected IPv6 address is on the public network, this field displays hyphens (--).
Totally 3 attackers. Slot 1: Totally 3 attackers. Table 88 Command output Field Description Totally 3 attackers Total number of IPv6 scanning attackers. IPv6 address IPv6 address of the attacker. MPLS L3VPN instance to which the attacker IPv6 address belongs. If the VPN instance attacker IPv6 address is on the public network, this field displays hyphens (--).
Examples # (MSR1000/MSR2000/MSR3000.) Display information about all IPv4 scanning attack victims. <Sysname> display attack-defense scan victim ip IP address VPN instance Detected on Duration(min) 192.168.31.2 GE2/1/4 2.2.2.3 GE2/1/4 1234 # (MSR4000.) Display information about all IPv4 scanning attack victims. <Sysname> display attack-defense scan victim ip Slot 0: IP address VPN instance...
Totally 3 victim IP addresses. Slot 1: Totally 3 victim IP addresses. Table 90 Command output Field Description Totally 3 victim IP addresses Total number of IPv6 scanning attack victims. IPv6 address IPv6 address of the victim. MPLS L3VPN instance to which the victim IPv6 address belongs. If the victim VPN instance IPv6 address is on the public network, this field displays hyphens (--).
Page 605
Scan attack defense statistics: AttackType AttackTimes Dropped Port scan IP sweep Distribute port scan Flood attack defense statistics: AttackType AttackTimes Dropped SYN flood ACK flood SYN-ACK flood 5000 RST flood FIN flood UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType...
Page 606
ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply ICMPv6 echo request ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction...
Page 607
IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible Teardrop Tiny fragment IP options abnormal Smurf Ping of death Traceroute Large ICMP TCP NULL flag TCP all flags TCP SYN-FIN flags TCP FIN only flag TCP invalid flag TCP Land Winnuke...
Table 91 Command output Field Description AttackType Type of the attack. AttackTimes Number of times that the attack occurred. Dropped Number of dropped packets. display attack-defense statistics local Use display attack-defense statistics local to display attack detection and prevention statistics for the device.
Page 609
ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible Teardrop...
Page 610
ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big # (MSR4000.) Display attack detection and prevention statistics for the device. <Sysname> display attack-defense statistics local Slot 0: Attack policy name: abc Scan attack defense statistics: AttackType AttackTimes Dropped...
Page 611
TCP FIN only flag TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request...
Page 612
HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible Teardrop Tiny fragment IP options abnormal...
ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big Table 92 Command output Field Description AttackType Type of the attack. AttackTimes Number of times that the attack occurred. Dropped Number of dropped packets. Related commands reset attack-defense statistics local display blacklist ip Use display blacklist ip to display IPv4 blacklist entries.
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped 123.123.123.123 a0123456789012 2013::fe07:221a:4011 Dynamic 123 4294967295 201.55.7.45 2013::1 Manual Never 14478 192.168.11.5 Dynamic 10 353452 # (MSR4000.) Display IPv4 blacklist entries on the card in slot 0. <Sysname> display blacklist ip slot 0 Slot 0: IP address VPN instance...
Page 615
MSR4000: display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Totally 3 blacklist entries. Table 94 Command output Field Description IPv6 address IPv6 address of the blacklist entry. MPLS L3VPN instance to which the blacklisted IPv6 address belongs. If the VPN instance blacklisted IPv6 address is on the public network, this field displays hyphens (--).
Page 617
port port-number: Specifies a protected port in the range of 1 to 65535. If no port is specified, this command displays protected IPv4 addresses with port 53 for DNS client verification, port 80 for HTTP client verification, and all ports for TCP client verification. slot slot-number: Specifies a card by its slot number.
Page 618
123.123.123.123 VPN1 Dynamic 4294967295 15151 201.55.7.45 Manual 15000 192.168.11.5 Dynamic 353452 Slot 1 IP address VPN instance Port Type Requested Trusted 123.123.123.123 VPN1 Dynamic 4294967295 15151 201.55.7.45 Manual 15000 192.168.11.5 Dynamic 353452 # (MSR1000/MSR2000/MSR3000.) Display the number of protected IPv4 addresses for DNS client verification.
Table 95 Command output Field Description Totally 3 protected IP addresses Total number of protected IPv4 addresses. IP address Protected IPv4 address. MPLS L3VPN instance to which the protected IPv4 address belongs. If the VPN instance protected IPv4 address is on the public network, this field displays hyphens (--).
Page 620
port port-number: Specifies a protected port in the range of 1 to 65535. If no port is specified, this command displays protected IPv6 addresses with port 53 for DNS client verification, port 80 for HTTP client verification, and all ports for TCP client verification. slot slot-number: Specifies a card by its slot number.
Page 621
1023::1123 vpn1 Dynamic 4294967295 15151 1:2:3:4:5:6:7:8 Manual 14478 5501 # (MSR1000/MSR2000/MSR3000.) Display the number of protected IPv6 addresses for DNS client verification. <Sysname> display client-verify dns protected ipv6 count Totally 3 protected IPv6 addresses. # (MSR4000.) Display the number of protected IPv6 addresses for DNS client verification. <Sysname>...
Field Description Port protected by TCP client verification. If TCP client verification protects all Port ports, this field displays any. Type Type of the protected IPv6 address, Manual or Dynamic. Requested Number of packets destined for the protected IPv6 address. Trusted Number of packets that passed the client verification.
Page 623
11.1.1.2 vpn1 3600 123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550 # (MSR4000.) Display the trusted IPv4 list for DNS client verification. <Sysname> display client-verify dns trusted ip Slot 0: IP address VPN instance DS-Lite tunnel peer TTL(sec) 11.1.1.2 vpn1 3600 123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550 Slot 1: IP address...
Examples # Specify drop as the global action against DNS flood attacks in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop Related commands dns-flood detect • dns-flood detect non-specific • dns-flood threshold • • client-verify dns enable dns-flood detect Use dns-flood detect to configure IP-specific DNS flood attack detection.
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent DNS packets destined for the protected IP address. logging: Enables logging for DNS flood attack events.
Usage guidelines This command enables global DNS flood attack detection. It applies to all IP addresses except for those specified by the dns-flood detect command. The system uses the global trigger threshold set by the dns-flood threshold command and global actions specified by the dns-flood action command. Examples # Enable DNS flood attack detection for non-specific IP addresses in attack defense policy atk-policy-1.
Related commands dns-flood action • dns-flood detect • • dns-flood detect non-specific dns-flood threshold Use dns-flood threshold to set the global threshold for triggering DNS flood attack prevention. Use undo dns-flood threshold to restore the default. Syntax dns-flood threshold threshold-value undo dns-flood threshold Default The global threshold is 1000 for triggering DNS flood attack prevention.
Use undo exempt acl to restore the default. Syntax exempt acl [ ipv6 ] { acl-number | name acl-name } undo exempt acl [ ipv6 ] Default Attack defense exemption is not configured. The attack defense policy applies to all incoming packets. Views Attack defense policy view Predefined user roles...
undo fin-flood action Default No action is taken against detected FIN flood attacks. Views Attack defense policy view Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
Views Attack defense policy view Predefined user roles network-admin Parameters ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a multicast address or all 0s.
Use undo fin-flood detect non-specific to restore the default. Syntax fin-flood detect non-specific undo fin-flood detect non-specific Default FIN flood attack detection is not enabled for non-specific IP addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global FIN flood attack detection.
Parameters threshold-value: Specifies the threshold for triggering FIN flood attack prevention. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second. Usage guidelines The global threshold applies to FIN flood attack detection for non-specific IP addresses. Adjust the threshold according to the application scenarios.
Usage guidelines To configure the HTTP flood attack detection to collaborate with the HTTP client verification, make sure the client-verify keyword is specified and the HTTP client verification is enabled. To enable HTTP client verification, use the client-verify http enable command. Examples # Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1.
threshold threshold-value: Sets the threshold for triggering HTTP flood attack prevention. The value range is 1 to 1000000 in units of HTTP packets sent to the specified IP address per second. action: Specifies the actions when an HTTP flood attack is detected. If no action is specified, the global actions set by the http-flood action command apply.
Predefined user roles network-admin Usage guidelines This command enables global HTTP flood attack detection. It applies to all IP addresses except for those specified by the http-flood detect command. The system uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command. Examples # Enable HTTP flood attack detection for non-specific IP addresses in attack defense policy atk-policy-1.
<Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] http-flood port 80 8080 Related commands http-flood action • http-flood detect • http-flood detect non-specific • http-flood threshold Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention. Use undo http-flood threshold to restore the default. Syntax http-flood threshold threshold-value undo http-flood threshold...
icmp-flood action Use icmp-flood action to specify global actions against ICMP flood attacks. Use undo icmp-flood action to restore the default. Syntax icmp-flood action { drop | logging } * undo icmp-flood action Default No action is taken against detected ICMP flood attacks. Views Attack defense policy view Predefined user roles...
Views Attack defense policy view Predefined user roles network-admin Parameters ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
undo icmp-flood detect non-specific Default ICMP flood attack detection is not enabled for non-specific IPv4 addresses. Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global ICMP flood attack detection. It applies to all IP addresses except for those specified by the icmp-flood detect ip command.
Usage guidelines The global threshold applies to ICMP flood attack detection for non-specific IP addresses. Adjust the threshold according to the application scenarios. If the number of ICMP packets to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
icmpv6-flood threshold Use icmpv6-flood threshold to set the global threshold for triggering ICMPv6 flood attack prevention. Use undo icmpv6-flood threshold to restore the default. Syntax icmpv6-flood threshold threshold-value undo icmpv6-flood threshold Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention. Views Attack defense policy view Predefined user roles...
Predefined user roles network-admin network-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ip: Clears flood attack detection and prevention statistics for IPv4 addresses.
Syntax reset attack-defense statistics local Views User view Predefined user roles network-admin network-operator Examples Clear attack detection and prevention statistics for the device. <Sysname> reset attack-defense statistics local Related commands display attack-defense statistics local reset blacklist ip Use rest blacklist ip to clear dynamic IPv4 blacklist entries. Syntax reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] | all } Views...
reset blacklist ipv6 Use rest blacklist ipv6 to clear dynamic IPv6 blacklist entries. Syntax reset blacklist ipv6 { source-ipv6-address [ vpn-instance vpn-instance-name ] | all } Views User view Predefined user roles network-admin network-operator Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs.
Related commands display blacklist ip • display blacklist ipv6 • reset client-verify protected statistics Use reset client-verify protected statistics to clear protected IP statistics for client verification. Syntax reset client-verify { dns | http | tcp } protected { ip | ipv6 } statistics Views User view Predefined user roles...
Parameters dns: Specifies the DNS client verification function. http: Specifies the HTTP client verification function. tcp: Specifies the TCP client verification function. ip: Specifies the trusted IPv4 list. ipv6: Specifies the trusted IPv6 list. Examples # Clear the trusted IPv4 list for DNS client verification. <Sysname>...
Usage guidelines You can configure RST flood attack detection for multiple IP addresses in one attack defense policy. With RST flood attack detection configured, the device is in attack detection state. An attack occurs when the device detects that the sending rate of RST packets to a protected IP address reaches or exceeds the threshold.
Related commands rst-flood action • rst-flood detect • • rst-flood threshold rst-flood threshold Use rst-flood threshold to set the global threshold for triggering RST flood attack prevention. Use undo rst-flood threshold to restore the default. Syntax rst-flood threshold threshold-value undo rst-flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention.
Page 656
Use undo scan detect to restore the default. Syntax scan detect level { high | low | medium } action { { block-source [ timeout minutes ] | drop } | logging } undo scan detect level { high | low | medium } Default Scanning attack detection is disabled.
# Configure scanning attack detection in attack defense policy atk-policy-1. Specify the detection level as low and the prevention actions as block-source and logging. Set the aging time for the dynamically added blacklist entries to 10 minutes. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging block-source timeout 10 Related commands...
signature detect Use signature detect to configure signature detection for single-packet attacks. Use undo signature detect to remove the signature detection configuration for single-packet attacks. Syntax signature detect { fraggle | fragment | impossible | ip-option-abnormal | land | large-icmp | large-icmpv6 | ping-of-death | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | teardrop | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]...
Page 659
icmp-type: Specifies an ICMP packet attack by its signature type. You can specify the signature by the ICMP packet type value or keyword: icmp-type-value: Specifies the ICMP type value in the range of 0 to 255. • address-mask-reply: Specifies the ICMP address mask reply type. •...
Page 660
ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255. An IPv6 extension header attack occurs when the specified IPv6 extension header value is detected. land: Specifies the Land attack. large-icmp: Specifies the large ICMP packet attack. large-icmpv6: Specifies the large ICMPv6 packet attack.
signature level action Use signature level action to specify the actions against single-packet attacks of a specific level. Use undo signature level action to restore the default. Syntax signature level { high | info | low | medium } action { { drop | logging } * | none } undo signature level { high | info | low | medium } action Default For informational-level and low-level single-packet attacks, the action is logging.
signature level detect Use signature level detect to enable signature detection for single-packet attacks of a specific level. Use undo signature level detect to disable signature detection for single-packet attacks of a specific level. Syntax signature level { high | info | low | medium } detect undo signature level { high | info | low | medium } detect Default Signature detection is disabled for all levels of single-packet attacks.
syn-ack-flood action Use syn-ack-flood action to specify global actions against SYN-ACK flood attacks. Use undo syn-ack-flood action to restore the default. Syntax syn-ack-flood action { client-verify | drop | logging } * undo syn-ack-flood action Default No action is taken against detected SYN-ACK flood attacks. Views Attack defense policy view Predefined user roles...
Page 664
Syntax syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { client-verify | drop | logging } * ] undo syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default SYN-ACK flood attack detection is not configured for any IP address.
Related commands syn-ack-flood action • syn-ack-flood detect non-specific • • syn-ack-flood threshold syn-ack-flood detect non-specific Use syn-ack-flood detect non-specific to enable SYN-ACK flood attack detection for non-specific IP addresses. Use undo syn-ack-flood detect non-specific to restore the default. Syntax syn-ack-flood detect non-specific undo syn-ack-flood detect non-specific Default SYN-ACK flood attack detection is not enabled for non-specific IP addresses.
Syntax syn-ack-flood threshold threshold-value undo syn-ack-flood threshold Default The global threshold is 1000 for triggering SYN-ACK flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for triggering SYN-ACK flood attack prevention. The value range is 1 to 1000000 in units of SYN-ACK packets sent to an IP address per second.
Predefined user roles network-admin Parameters client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. drop: Drops subsequent SYN packets destined for the victim IP addresses. logging: Enables logging for SYN flood attack events.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a multicast address or all 0s. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
Views Attack defense policy view Predefined user roles network-admin Usage guidelines This command enables global SYN flood attack detection. It applies to all IP addresses except for those specified by the syn-flood detect command. The system uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect ip 192.168.1.2 threshold 2000 Related commands udp-flood action • udp-flood detect non-specific • • udp-flood threshold udp-flood detect non-specific Use udp-flood detect non-specific to enable UDP flood attack detection for non-specific IP addresses. Use undo udp-flood detect non-specific to restore the default. Syntax udp-flood detect non-specific undo udp-flood detect non-specific...
Page 673
undo udp-flood threshold Default The global threshold is 1000 for triggering UDP flood attack prevention. Views Attack defense policy view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for triggering UDP flood attack prevention. The value range is 1 to 64000 in units of UDP packets sent to an IP address per second.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 676
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D E F G H I K L M N O P Q R S T U V W attack-defense apply policy,558 attack-defense local apply policy,559 session-limit,1 attack-defense policy,560 access-limit,32 attack-defense signature log non-aggregate,561 access-limit enable,2 attribute,244 accounting command,2...