1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542
HP 6600/HSR6600 Routers
Security
Part number: 5998-1514
Software version: A6602-CMW520-R3103
A6600-CMW520-R3102-RPE
A6600-CMW520-R3102-RSE
HSR6602_MCP-CMW520-R3102
Document version: 6PW103-20130628

Advertising

   Related Manuals for HP HSR6600

   Summary of Contents for HP HSR6600

  • Page 1: Command Reference

    HP 6600/HSR6600 Routers Security Command Reference Part number: 5998-1514 Software version: A6602-CMW520-R3103 A6600-CMW520-R3102-RPE A6600-CMW520-R3102-RSE HSR6602_MCP-CMW520-R3102 Document version: 6PW103-20130628...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...

  • Page 3: Table Of Contents

    Contents AAA configuration commands ···································································································································· 1   General AAA configuration commands ························································································································· 1   aaa nas-id profile ····················································································································································· 1   access-limit enable ··················································································································································· 1   accounting command ··············································································································································· 2   accounting default ···················································································································································· 3   accounting dvpn ······················································································································································· 4   accounting lan-access ··············································································································································...

  • Page 4: Table Of Contents

    expiration-date ······················································································································································· 49   group ······································································································································································ 50   group-attribute allow-guest ··································································································································· 51   local-user ································································································································································ 51   password ································································································································································ 52   service-type ····························································································································································· 54   state (local user view) ············································································································································ 55   user-group ······························································································································································ 55   validity-date ···························································································································································· 56   RADIUS configuration commands ································································································································...

  • Page 5: Table Of Contents

    reset hwtacacs statistics ······································································································································ 109   reset stop-accounting-buffer (for HWTACACS) ································································································ 110   retry stop-accounting (HWTACACS scheme view) ·························································································· 111   secondary accounting (HWTACACS scheme view) ························································································ 112   secondary authentication (HWTACACS scheme view) ··················································································· 113   secondary authorization ····································································································································· 114  ...

  • Page 6: Table Of Contents

    display portal interface ······································································································································· 164   display portal server ··········································································································································· 165   display portal server statistics ···························································································································· 166   display portal tcp-cheat statistics ······················································································································· 169   display portal user ··············································································································································· 170   portal auth-network ·············································································································································· 172   portal auth-network destination ·························································································································· 173  ...

  • Page 7: Table Of Contents

    password-control authentication-timeout ··········································································································· 219   password-control complexity ······························································································································ 220   password-control composition ···························································································································· 220   password-control enable ····································································································································· 222   password-control expired-user-login ·················································································································· 222   password-control history ····································································································································· 223   password-control length ······································································································································ 223   password-control login idle-time ························································································································ 225  ...

  • Page 8: Table Of Contents

    pki certificate attribute-group ····························································································································· 263   pki delete-certificate ············································································································································ 264   pki domain ··························································································································································· 264   pki entity ······························································································································································· 265   pki import-certificate ············································································································································ 266   pki request-certificate domain ···························································································································· 266   pki retrieval-certificate ········································································································································· 267   pki retrieval-crl domain ······································································································································· 268  ...

  • Page 9: Table Of Contents

    transform······························································································································································· 321   transform-set ························································································································································· 321   tunnel local ··························································································································································· 322   tunnel remote ······················································································································································· 323   IKE configuration commands ·································································································································· 325   authentication-algorithm ····································································································································· 325   authentication-method ········································································································································· 325   certificate domain ················································································································································ 326   dh ·········································································································································································· 327   display ike dpd ····················································································································································...

  • Page 10: Table Of Contents

    cdup ······································································································································································ 363   delete ···································································································································································· 363   dir ·········································································································································································· 364   display sftp client source····································································································································· 365   display ssh client source ····································································································································· 365   display ssh server-info ········································································································································· 366   exit ········································································································································································ 367   get ········································································································································································· 367   help ······································································································································································· 368  ...

  • Page 11: Table Of Contents

    firewall ipv6 enable ············································································································································ 406   firewall packet-filter ············································································································································· 406   firewall packet-filter ipv6 ···································································································································· 407   reset firewall ipv6 statistics ································································································································· 408   reset firewall-statistics ·········································································································································· 408   ASPF configuration commands ··································································································································· 409   aspf-policy ···························································································································································· 409   display aspf all ···················································································································································· 409  ...

  • Page 12: Table Of Contents

    firewall http url-filter host acl ······························································································································ 450   firewall http url-filter host default ························································································································ 451   firewall http url-filter host enable ························································································································ 451   firewall http url-filter host ip-address ·················································································································· 452   firewall http url-filter host url-address ················································································································· 453   firewall http url-filter parameter ··························································································································...

  • Page 13: Table Of Contents

    ················································································································································ 517   fips mode enable ················································································································································· 517   fips self-test ··························································································································································· 518   Support and other resources ·································································································································· 520   Contacting HP ······························································································································································ 520   Subscription service ············································································································································ 520   Related information ······················································································································································ 520   Documents ···························································································································································· 520  ...

  • Page 14: Aaa Configuration Commands

    AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name...

  • Page 15: Accounting Command

    Views ISP domain view Default command level 2: System level Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users.

  • Page 16: Accounting Default

    Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands accounting default • hwtacacs scheme • accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.

  • Page 17: Accounting Dvpn

    [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands local-user • hwtacacs scheme • radius scheme • accounting dvpn Use accounting dvpn to configure the accounting method for DVPN users. Use undo accounting dvpn to restore the default. Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn...

  • Page 18: Accounting Lan-access

    radius scheme • accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. Syntax accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users.

  • Page 19: Accounting Login

    accounting login Use accounting login to configure the accounting method for login users through the console, AUX, or Asyn port or through Telnet. Use undo accounting login to restore the default. Syntax accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting login Default...

  • Page 20: Accounting Optional

    accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. Syntax accounting optional undo accounting optional Default The feature is disabled. Views ISP domain view Default command level 2: System level Usage guidelines After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when...

  • Page 21: Accounting Ppp

    Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for portal users.

  • Page 22: Accounting Ssl-vpn

    Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 23: Authentication Default

    Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 accounting ssl-vpn The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use RADIUS accounting scheme rd for SSL VPN users.

  • Page 24: Authentication Dvpn

    Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured. Examples # Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.

  • Page 25: Authentication Lan-access

    # Configure ISP domain test to use RADIUS authentication scheme rd for DVPN users and use local authentication as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication dvpn radius-scheme rd local Related commands • local-user authentication default • radius scheme •...

  • Page 26: Authentication Login

    [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands • local-user authentication default • • radius scheme authentication login Use authentication login to configure the authentication method for login users through the console, AUX, or Asyn port, Telnet, or FTP. Use undo authentication login to restore the default. Syntax authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }...

  • Page 27: Authentication Portal

    Related commands local-user • authentication default • • hwtacacs scheme radius scheme • authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. Syntax authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authentication portal Default The default authentication method for the ISP domain is used for portal users.

  • Page 28: Authentication Ppp

    authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default. Syntax authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users.

  • Page 29: Authentication Ssl-vpn

    authentication ssl-vpn Use authentication ssl-vpn to configure the authentication RADIUS method for SSL VPN users. Use undo authentication ssl-vpn to restore the default. Syntax authentication ssl-vpn radius-scheme radius-scheme-name undo authentication ssl-vpn Default The default authentication method for the ISP domain is used for SSL VPN users. Views ISP domain view Default command level...

  • Page 30: Authorization Command

    Default The default authentication method for the ISP domain is used for user privilege level switching authentication. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 31: Authorization Default

    Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0. Usage guidelines The specified HWTACACS scheme must have been configured.

  • Page 32: Authorization Dvpn

    Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.

  • Page 33: Authorization Lan-access

    Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured.

  • Page 34: Authorization Login

    none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode. The specified RADIUS scheme must have been configured.

  • Page 35: Authorization Portal

    Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 36: Authorization Ppp

    Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 37: Authorization Ssl-vpn

    Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access the network directly.

  • Page 38: Authorization-attribute User-profile

    Views ISP domain view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616...

  • Page 39: Cut Connection

    Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Usage guidelines After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.

  • Page 40: Display Connection

    ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain.

  • Page 41

    Default command level 1: Monitor level Parameters access-type: Specifies the user connections of the specified access type. • dot1x: Indicates 802.1X authentication. This keyword is supported only on the SAP interface modules that are operating in Layer 2 mode. mac-authentication: Indicates MAC address authentication. This keyword is supported only on the •...

  • Page 42

    authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain. How the device displays the username of a user on an interface configured with a mandatory authentication domain depends on the format of the username entered by the user at login: If the username does not contain the at sign (@), the device displays the username in the format •...

  • Page 43

    Slot: Index=0 , Username=telnet@system IP=10.0.0.1 IPv6=N/A Access=Admin ,AuthMethod=PAP Port Type=Virtual ,Port Name=N/A ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable SessionTimeout=60(s), Terminate-Action=Radius-Request Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Slot: Total 0 connection matched. Slot: Total 0 connection matched. Table 1 Command output Field Description Slot...

  • Page 44: Display Domain

    display domain Use display domain to display the configuration of ISP domains. Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression.

  • Page 45

    Lan-access authorization scheme : hwtacacs:hw, local Lan-access accounting scheme : local Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Authorization attributes : User-profile : profile1 Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Description Domain...

  • Page 46: Domain

    Field Description Authorization attributes Default authorization attributes for the ISP domain. User-profile Default authorization user profile. Related commands access-limit enable • domain • state • domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name...

  • Page 47: Domain Default Enable

    domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default...

  • Page 48: Idle-cut Enable

    undo domain if-unknown Default No ISP domain is specified for users with unknown domain names. Views System view Default command level 3: Manage level Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), and at sign (@).

  • Page 49

    Views ISP domain view Default command level 2: System level Parameters minute: Idle timeout period, ranging from 1 to 600 minutes. flow: Minimum traffic during the idle timeout period in bytes. It ranges from 1 to 10240000 and defaults to 10240. Usage guidelines With the idle cut function enabled for a domain, the device checks the traffic of each online user in the domain at the idle timeout interval, and it logs out any user in the domain whose traffic during the idle...

  • Page 50: Nas Device-id

    low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there is only one IP address in the pool, which is the start IP address. Usage guidelines You can also configure an address pool for PPP users in system view.

  • Page 51: Nas-id Bind Vlan

    Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 nas device-id Configuring or changing the device ID of a device logs out all online users of the device. The two devices working in stateful failover mode must use the device IDs of 1 and 2. The device ID is the symbol for stateful failover mode.

  • Page 52: Self-service-url Enable

    <Sysname> system-view [Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2 Related commands aaa nas-id profile self-service-url enable Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server. Use undo self-service-url enable to restore the default. Syntax self-service-url enable url-string undo self-service-url enable...

  • Page 53: State (isp Domain View)

    undo session-time include-idle-time Default The user online time uploaded to the server excludes the idle cut time. Views ISP domain view Default command level 2: System level Usage guidelines The device uploads to the server the online user time when a user is logged off. However, the online user time of an abnormally logged-off user can contain an idle timeout interval or a detection interval when the idle cut function or online portal user detection is enabled.

  • Page 54: Local User Configuration Commands

    Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test to the blocked state. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit...

  • Page 55: Authorization-attribute

    authorization-attribute Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to remove authorization attributes and restore the defaults. Syntax authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id |...

  • Page 56: Bind-attribute

    commands. For more information, see Network Management and Monitoring Command Reference. vlan vlan-id: Specifies the authorized VLAN, where vlan-id ranges from 1 to 4094. After passing authentication, a local user can access the resources in this VLAN. work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service.

  • Page 57: Display Local-user

    Views Local user view Default command level 3: Manage level Parameters call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters.

  • Page 58

    Parameters idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specified type of service. dvpn: DVPN tunnel users. • ftp: FTP users. This keyword is not supported in FIPS mode. •...

  • Page 59

    Examples # On the 6602 router, display information about all local users. <Sysname> display local-user The contents of local user abc: State: Active ServiceType: Access-limit: Enabled Current AccessNum: 0 Max AccessNum: User-group: system Bind attributes: IP address: 1.2.3.4 Bind location: 0/4/1 (SLOT/SUBSLOT/PORT) MAC address: 00-01-00-02-00-03...

  • Page 60

    Field Description Expiration date Expiration time of the local user. Password aging Aging time of the local user password. Password length Minimum length of the local user password. Password composition Password composition policy of the local user. # On the HSR6602/6604/6608/6616 router, display the information of local user bbb on the card installed on slot 0.

  • Page 61: Display User-group

    Field Description VLAN ID VLAN to which the local user is bound. User Profile User profile for local user authorization. Calling Number Calling number of the ISDN user. Authorization attributes Authorization attributes of the local user. Idle TimeOut Idle timeout period of the user, in minutes. Callback-number Authorized PPP callback number of the local user.

  • Page 62: Expiration-date

    <Sysname> display user-group abc The contents of user group abc: Authorization attributes: Idle-cut: 120(min) Work Directory: cfa0: Level: Acl Number: 2000 Vlan ID: User-Profile: Callback-number: Password aging: Enabled (1 days) Password length: Enabled (4 characters) Password composition: Enabled (1 types, 1 characters per type) Total 1 user group(s) matched.

  • Page 63: Group

    Default command level 3: Manage level Parameters time: Expiration time local user, format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month.

  • Page 64: Group-attribute Allow-guest

    [Sysname] local-user 111 [Sysname-luser-111] group abc group-attribute allow-guest Use group-attribute allow-guest to set the guest attribute for a user group so that guest users created by a guest manager through the Web interface can join the group. Use undo group-attribute allow-guest to restore the default. Syntax group-attribute allow-guest undo group-attribute allow-guest...

  • Page 65: Password

    Default command level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@) and cannot be a, al, or all.

  • Page 66

    Views Local user view Default command level 2: System level Parameters hash: Enables hash-based encryption. cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. If hash is not specified, a ciphertext password must be a string of 1 to 1 17 characters and a plaintext password must be a string of 1 to 63 characters.

  • Page 67: Service-type

    service-type Use service-type to specify the service types that a user can use. Use undo service-type to delete one or all service types configured for a user. Syntax service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web } undo service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web } Default A user is authorized with no service.

  • Page 68: State (local User View)

    state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Default command level 2: System level Parameters...

  • Page 69: Validity-date

    Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

  • Page 70: Radius Configuration Commands

    system time is between the validity time and the expiration time. If it is, the device permits the user to access the network. Otherwise, the device denies the access request of the user. Examples # Set the validity time of user abc to 12:10:20 on April 30, 2008, and set the expiration time to 12:10:20 on May 31, 2008.

  • Page 71: Attribute 25 Car

    Examples # Enable the accounting-on feature for RADIUS authentication scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 Related commands radius scheme attribute 25 car Use attribute 25 car to specify the device to interpret the RADIUS class attribute (attribute 25) as CAR...

  • Page 72: Display Radius Scheme

    Default The unit for data flows is byte and that for data packets is one-packet. Views RADIUS scheme view Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

  • Page 73

    exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602...

  • Page 74

    Index number of the RADIUS scheme. Type of the RADIUS server supported on the router: • Extended—The RADIUS server uses the proprietary RADIUS protocol of HP for packet exchange. Type • Standard—The RADIUS server uses the standard RADIUS protocol for packet exchange.

  • Page 75: Display Radius Statistics

    Field Description Shared key for secure accounting communication, displayed as a series of Acct Server Encryption Key asterisks (******). If no shared key is configured, this field displays N/A. MPLS L3VPN to which the scheme belongs. If no VPN instance is specified VPN instance for the scheme, this field displays N/A.

  • Page 76

    |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 77

    RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14 Auth continue Num = 0 Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0 SndMSG_Fail_sum Timer_Err Alloc_Mem_Err State Mismatch Other_Error...

  • Page 78

    Field Description RADIUS received messages statistic Statistics for received RADIUS messages. Normal auth request Counts of normal authentication requests. Auth request Counts of normal authentication requests. Account request Counts of accounting requests. Account off request Counts of stop-accounting requests. PKT auth timeout Counts of authentication timeout messages.

  • Page 79

    AcctStart = 0 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 StateErr = 0 Received and Sent packets statistic: Sent PKT total = 1547 Received PKT total = 23 Resend Times Resend total Total 1016 RADIUS received packets statistic:...

  • Page 80

    Table 8 Command output Field Description slot Number of the slot in which the card resides. state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started.

  • Page 81: Display Stop-accounting-buffer (for Radius)

    Field Description Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests. RADIUS sent messages statistic Statistics for sent RADIUS messages. Auth accept Number of accepted authentication packets. Auth reject Number of rejected authentication packets.

  • Page 82

    session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters. time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. user-name user-name: Specifies the stop-accounting requests buffered for a user.

  • Page 83: Key (radius Scheme View)

    user-name-format • • retry retry stop-accounting • key (RADIUS scheme view) Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication } Default No shared key is configured.

  • Page 84: Nas-backup-ip

    <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok # For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key authentication cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B Related commands display radius scheme nas-backup-ip Use nas-backup-ip to specify a backup source IP address for outgoing RADIUS packets in a stateful...

  • Page 85: Nas-ip (radius Scheme View)

    The setting configured by the nas-backup-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas the setting configured by the radius nas-backup-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Examples # For a device working in stateful failover mode, set the source IP address and backup source IP address for outgoing RADIUS packets to 2.2.2.2 and 3.3.3.3, respectively.

  • Page 86: Primary Accounting (radius Scheme View)

    The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration does not take effect. A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one.

  • Page 87: Primary Authentication (radius Scheme View)

    cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 1 17 • characters. simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string. •...

  • Page 88

    undo primary authentication Default No primary RADIUS authentication/authorization server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address.

  • Page 89: Radius Client

    If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.

  • Page 90: Radius Nas-backup-ip

    undo radius client Default The RADIUS client service is enabled. Views System view Default command level 2: System level Usage guidelines When the RADIUS client service is disabled, the following events occur: No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS •...

  • Page 91: Radius Nas-ip

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the backup source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network backup source IP address. With no VPN specified, the command specifies a public-network backup source IP address.

  • Page 92: Radius Scheme

    Default command level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be a link-local address.

  • Page 93: Radius Trap

    Default command level 3: Manage level Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

  • Page 94: Reset Radius Statistics

    When the status of a RADIUS server changes. If a NAS sends a request but receives no response • before the maximum number of attempts is exceeded, it places the server to the blocked state and sends a trap message. If a NAS receives a response from a RADIUS server it considered unreachable, it considers that the RADIUS server is reachable again and also sends a trap message.

  • Page 95: Retry

    Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] Views User view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme.

  • Page 96: Retry Realtime-accounting

    Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of RADIUS packet transmission attempts, ranging from 1 to 20. Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

  • Page 97: Retry Stop-accounting (radius Scheme View)

    Default command level 2: System level Parameters retry-times: Maximum number of accounting attempts, ranging from 1 to 255. Usage guidelines A RADIUS server usually checks whether a user is online by using a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user.

  • Page 98: Secondary Accounting (radius Scheme View)

    Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets. Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with...

  • Page 99

    Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server, which must be a valid global unicast address. port-number: Specifies the service port number of the secondary RADIUS accounting server, which is a UDP port number ranging from 1 to 65535 and defaults to 1813.

  • Page 100: Secondary Authentication (radius Scheme View)

    Examples # For RADIUS scheme radius1, specify two secondary accounting servers with the server IP addresses of 10.1 10.1.1 and 10.1 10.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key hello [Sysname-radius-radius1] secondary accounting 10.110.1.2 1813 key hello...

  • Page 101

    cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 1 17 • characters. simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string. •...

  • Page 102: Security-policy-server

    For 802.1X authentication, if the status of every server is block, the device assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To make sure the device can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command.

  • Page 103: Server-type

    Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme. Examples # Specify security policy server 10.1 10.1.2 for RADIUS scheme radius1.

  • Page 104: State Primary

    state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Default command level...

  • Page 105: Stop-accounting-buffer Enable (radius Scheme View)

    Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.

  • Page 106: Timer Quiet (radius Scheme View)

    Default The device buffers stop-accounting requests to which no responses are received. Views RADIUS scheme view Default command level 2: System level Usage guidelines Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers.

  • Page 107: Timer Realtime-accounting (radius Scheme View)

    Usage guidelines The quiet timer controls whether the device changes the status of an unreachable server from active to blocked and how long the device keeps an unreachable server in blocked state. If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible.

  • Page 108: Timer Response-timeout (radius Scheme View)

    Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more). Table 9 Recommended real-time accounting intervals Number of users Real-time accounting interval (in minutes)

  • Page 109: User-name-format (radius Scheme View)

    Examples # Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default...

  • Page 110: Vpn-instance (radius Scheme View)

    vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN instance for a RADIUS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Views RADIUS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of the MPLS VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN instance specified here applies to all IPv4 servers in the RADIUS scheme for which no specific VPN instance is specified.

  • Page 111: Display Hwtacacs

    Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

  • Page 112

    include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number If no HWTACACS scheme is specified, the command displays the configuration of all HWTACACS schemes.

  • Page 113

    Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 10 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays 0.0.0.0:0. Primary-authentication-server This rule also applies to the following eight fields.

  • Page 114: Hwtacacs Scheme

    HWTACACS authen client access request send authentication number: 0 HWTACACS authen client access request send password number: 0 HWTACACS authen client access connect abort number: 0 HWTACACS authen client access connect packet number: 5 HWTACACS authen client access response error number: 0 HWTACACS authen client access response failure number: 0 HWTACACS authen client access response follow number: 0 HWTACACS authen client access response getdata number: 0...

  • Page 115: Display Stop-accounting-buffer (for Hwtacacs)

    display stop-accounting-buffer (for HWTACACS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests. Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined...

  • Page 116: Hwtacacs Nas-ip

    retry stop-accounting • hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to remove the configuration. Syntax hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] Default The source IP address of a packet sent to the server is the IP address of the outbound interface.

  • Page 117: Hwtacacs Scheme

    hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme. Syntax hwtacacs scheme hwtacacs-scheme-name undo hwtacacs scheme hwtacacs-scheme-name Default No HWTACACS scheme exists. Views System view Default command level 3: Manage level Parameters...

  • Page 118: Nas-ip (hwtacacs Scheme View)

    Parameters accounting: Sets the shared key for secure HWTACACS accounting communication. authentication: Sets the shared key for secure HWTACACS authentication communication. authorization: Sets the shared key for secure HWTACACS authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key: Specifies the shared key string.

  • Page 119: Primary Accounting (hwtacacs Scheme View)

    Default The source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface. Views HWTACACS scheme view Default command level...

  • Page 120: Primary Authentication (hwtacacs Scheme View)

    Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It is a TCP port in the range of 1 to 65535 and defaults to 49.

  • Page 121: Primary Authorization

    Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS authentication server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authentication server. It is a TCP port in the range of 1 to 65535 and defaults to 49.

  • Page 122: Reset Hwtacacs Statistics

    Default No primary HWTACACS authorization server is specified. Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS authorization server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authorization server. It is a TCP port in the range of 1 to 65535 and defaults to 49.

  • Page 123: Reset Stop-accounting-buffer (for Hwtacacs)

    Views User view Default command level 1: Monitor level Parameters accounting: Specifies the HWTACACS accounting statistics. all: Specifies all HWTACACS statistics. authentication: Specifies the HWTACACS authentication statistics. authorization: Specifies the HWTACACS authorization statistics. slot slot-number: Specifies the HWTACACS statistics for the card in the specified slot. Usage guidelines The following matrix shows the option and router compatibility: Option...

  • Page 124: Retry Stop-accounting (hwtacacs Scheme View)

    Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 Related commands stop-accounting-buffer enable • display stop-accounting-buffer •...

  • Page 125: Secondary Accounting (hwtacacs Scheme View)

    secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove the configuration. Syntax secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary accounting Default No secondary HWTACACS accounting server is specified. Views HWTACACS scheme view Default command level...

  • Page 126: Secondary Authentication (hwtacacs Scheme View)

    vpn-instance (HWTACACS scheme view) • secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove the configuration. Syntax secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authentication Default No secondary HWTACACS authentication server is specified.

  • Page 127: Secondary Authorization

    Related commands display hwtacacs • vpn-instance (HWTACACS scheme view) • secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove the configuration. Syntax secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authorization Default No secondary HWTACACS authorization server is specified.

  • Page 128: Stop-accounting-buffer Enable (hwtacacs Scheme View)

    Related commands display hwtacacs • vpn-instance (HWTACACS scheme view) • stop-accounting-buffer enable (HWTACACS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable...

  • Page 129: Timer Realtime-accounting (hwtacacs Scheme View)

    Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes. Usage guidelines When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires.

  • Page 130: Timer Response-timeout (hwtacacs Scheme View)

    Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive). Table 11 Recommended real-time accounting intervals Number of users Real-time accounting interval (in minutes) 1 to 99...

  • Page 131: User-name-format (hwtacacs Scheme View)

    Related commands display hwtacacs user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views HWTACACS scheme view Default command level...

  • Page 132

    Syntax vpn-instance vpn-instance-name undo vpn-instance Views HWTACACS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified.

  • Page 133: X Commands

    802.1X commands 802.1X commands are supported only on a SAP module that is operating in bridge mode. display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view...

  • Page 134

    EAD quick deploy is enabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout:...

  • Page 135

    Table 12 Command output Field Description Equipment 802.1X protocol is enabled Whether 802.1X is enabled globally. CHAP authentication is enabled Whether CHAP authentication is enabled. Whether the device sends a trap when detecting that a user is Proxy trap checker is disabled accessing the network through a proxy.

  • Page 136

    Field Description Authenticate Mode is Auto Authorization state of the port. Port Control Type is Port-based Access control method of the port. 802.1X Multicast-trigger is enabled Whether the 802.1X multicast-trigger function is enabled. Mandatory authentication domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port.

  • Page 137: Dot1x

    dot1x Use dot1x to enable 802.1X. Use undo dot1x to disable 802.1X. Syntax In system view: dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level...

  • Page 138: Dot1x Authentication-method

    <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x [Sysname-GigabitEthernet3/0/1] quit [Sysname] interface gigabitethernet 3/0/5 [Sysname-GigabitEthernet3/0/5] dot1x [Sysname-GigabitEthernet3/0/5] quit [Sysname] interface gigabitethernet 3/0/6 [Sysname-GigabitEthernet3/0/6] dot1x [Sysname-GigabitEthernet3/0/6] quit [Sysname] interface gigabitethernet 3/0/7 [Sysname-GigabitEthernet3/0/7] dot1x # Enable 802.1X globally. <Sysname> system-view [Sysname] dot1x Related commands display dot1x dot1x authentication-method...

  • Page 139: Dot1x Auth-fail Vlan

    PAP transports usernames and passwords in clear text. The authentication method applies to scenarios that do not require high security. To use PAP, the client must be an HP iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.

  • Page 140: Dot1x Critical Vlan

    Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 LAN Switching Configuration Guide.

  • Page 141: Dot1x Critical Recovery-action

    Parameters vlan-id: Specifies a VLAN ID in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 LAN Switching — Configuration Guide. Usage guidelines You can configure only one critical VLAN on a port.

  • Page 142: Dot1x Domain-delimiter

    Usage guidelines The dot1x critical recovery-action command takes effect only for the 802.1X users in the critical VLAN on a port. It enables the port to take one of the following actions to trigger 802.1X authentication after removing 802.1X users from the critical VLAN on detection of a reachable RADIUS authentication server: If MAC-based access control is used, the port sends a unicast Identity EAP/Request to each 802.1X •...

  • Page 143: Dot1x Guest-vlan

    Examples # Specify the characters @, /, and \ as domain name delimiters. <Sysname> system-view [Sysname] dot1x domain-delimiter @\/ dot1x guest-vlan Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users that have not performed 802.1X authentication.

  • Page 144: Dot1x Handshake

    To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first. You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port. Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 3/0/1 <Sysname>...

  • Page 145: Dot1x Handshake Secure

    HP recommends that you use the iNode client software to ensure the normal operation of the online user handshake function. Examples # Enable the online user handshake function. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/4 [Sysname-GigabitEthernet3/0/4] dot1x handshake dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function.

  • Page 146: Dot1x Max-user

    undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Default command level 2: System level Parameters domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.

  • Page 147

    Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number undo dot1x max-user Default The port supports a maximum of 1024 concurrent 802.1X users. Views System view, Ethernet interface view Default command level 2: System level...

  • Page 148: Dot1x Multicast-trigger

    Related commands display dot1x dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication. Use undo dot1x multicast-trigger to disable the function. Syntax dot1x multicast-trigger undo dot1x multicast-trigger...

  • Page 149: Dot1x Port-method

    undo dot1x port-control Default The default port authorization state is auto. Views System view, Ethernet interface view Default command level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication.

  • Page 150

    Use undo dot1x port-method to restore the default. Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies.

  • Page 151: Dot1x Quiet-period

    [Sysname] dot1x port-method portbased interface gigabitethernet 3/0/2 to gigabitethernet 3/0/5 Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use undo dot1x quiet-period to disable the timer.

  • Page 152: Dot1x Retry

    Default command level 2: System level Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. You can use the dot1x timer reauth-period command to configure the interval for re-authentication.

  • Page 153: Dot1x Supp-proxy-check

    Examples # Set the maximum number of attempts for sending an authentication request to a client as 9. <Sysname> system-view [Sysname] dot1x retry 9 Related commands display dot1x dot1x supp-proxy-check Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on the specified ports or all ports.

  • Page 154: Dot1x Timer

    Examples # Configure ports GigabitEthernet 3/0/1 to 1/8 to log off users accessing the network through a proxy. <Sysname> system-view [Sysname] dot1x supp-proxy-check logoff [Sysname] dot1x supp-proxy-check logoff interface gigabitethernet 3/0/1 to gigabitethernet 3/0/8 # Configure port GigabitEthernet 3/0/9 to send a trap when a user is detected accessing the network through a proxy.

  • Page 155: Dot1x Unicast-trigger

    supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120. tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120. Usage guidelines You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers.

  • Page 156: Reset Dot1x Statistics

    Default The unicast trigger function is disabled. Views Ethernet interface view Default command level 2: System level Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time (set with the dot1x timer tx-period command).

  • Page 157

    Examples # Clear 802.1X statistics on port GigabitEthernet 3/0/1. <Sysname> reset dot1x statistics interface gigabitethernet 3/0/1 Related commands display dot1x...

  • Page 158: Ead Fast Deployment Commands

    EAD fast deployment commands EAD fast deployment commands are supported only on a SAP module that is operating in bridge mode. dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses.

  • Page 159: Dot1x Url

    Syntax dot1x timer ead-timeout ead-timeout-value undo dot1x timer ead-timeout Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440. Usage guidelines EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network.

  • Page 160

    Default command level 2: System level Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 64 characters in the format http://string. Usage guidelines The redirect URL must be on the free IP subnet. If you configure the dot1x url command multiple times, the last configured URL takes effect. Examples # Configure the redirect URL as http://192.168.0.1.

  • Page 161: Mac Authentication Configuration Commands

    MAC authentication configuration commands MAC authentication commands are available only for SAP modules that are operating in bridge mode. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics. Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views...

  • Page 162

    Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet3/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 1024...

  • Page 163: Mac-authentication

    Field Description Status of the link on port GigabitEthernet 3/0/1. In this example, the link GigabitEthernet3/0/1 is link-up is up. MAC address authentication is Whether MAC authentication is enabled on port GigabitEthernet enabled 3/0/1. MAC authentication statistics, including the number of successful and Authenticate success: 0, failed: 0 unsuccessful authentication attempts.

  • Page 164: Mac-authentication Domain

    Default command level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0> indicates that you can specify up to 10 port ranges.

  • Page 165: Mac-authentication Max-user

    Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). Usage guidelines The global authentication domain is applicable to all MAC authentication enabled ports.

  • Page 166: Mac-authentication Timer

    [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] mac-authentication max-user 32 mac-authentication timer Use mac-authentication timer to set the MAC authentication timers. Use undo mac-authentication timer to restore the default settings. Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } Default The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100...

  • Page 167

    Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default Each user's MAC address is used as the username and password for MAC authentication, and letters...

  • Page 168: Reset Mac-authentication Statistics

    Examples # Configure a shared account for MAC authentication users, and set the username as abc and password as a plaintext string of xyz. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Configure a shared account for MAC authentication users, and set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg.

  • Page 169: Portal Configuration Commands

    Portal configuration commands Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type arp retransmit number interval interval undo access-user detect...

  • Page 170: Display Portal Acl

    Examples # Configure the portal user detection function on interface GigabitEthernet 0/1, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds. <Sysname> system-view [Sysname] interface gigabitethernet0/1 [Sysname-GigabitEthernet0/1] access-user detect type arp retransmit 3 interval 10 display portal acl Use display portal acl to display the ACLs on a specific interface.

  • Page 171

    Port : 50000 ~ 51000 : 0000-0000-0000 Interface : any VLAN Destination: : 111.111.111.111 Mask : 255.255.255.255 Port : 40000 Rule 1 Inbound interface : GigabitEthernet3/0/1 Type : static Action : permit Protocol Source: : 0.0.0.0 Mask : 0.0.0.0 Port : 23 : 0000-0000-0000 Interface : any...

  • Page 172: Display Portal Connection Statistics

    Mask : 255.255.255.255 : 000d-88f8-0eab Interface : GigabitEthernet3/0/1 VLAN Protocol Destination: : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Table 14 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound.

  • Page 173

    Syntax display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression.

  • Page 174

    MSG_LOGIN_REQ MSG_LOGOUT_REQ MSG_LEAVING_REQ MSG_ARPPKT MSG_PORT_REMOVE MSG_VLAN_REMOVE MSG_IF_REMOVE MSG_IF_SHUT MSG_IF_DISPORTAL MSG_IF_UP MSG_ACL_RESULT MSG_AAACUTBKREQ MSG_CUT_BY_USERINDEX MSG_CUT_L3IF MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 15 Command output Field Description User state statistics Statistics on portal users. State-Name Name of a user state. User-Num Number of users in a specific state.

  • Page 175: Display Portal Free-rule

    Field Description MSG_ARPPKT ARP message. MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message. MSG_VLAN_REMOVE VLAN user removed message. Users-removed message, indicating the users on a Layer 3 interface were MSG_IF_REMOVE removed because the Layer 3 interface was removed. MSG_IF_SHUT Layer 3 interface shutdown message. MSG_IF_DISPORTAL Portal-disabled-on-interface message.

  • Page 176

    include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about portal-free rule 1. <Sysname> display portal free-rule 1 Rule-Number Source: : 2.2.2.0 Mask : 255.255.255.0 Port...

  • Page 177: Display Portal Interface

    Field Description Destination Destination information in the portal-free rule. Destination IP address in the portal-free rule. Mask Subnet mask of the destination IP address in the portal-free rule. Port Destination transport layer port number in the portal-free rule. Protocol Transport layer protocol number in the portal-free rule. Related commands portal free-rule display portal interface...

  • Page 178: Display Portal Server

    Table 17 Command output Field Description Portal configuration of interface Portal configuration on the interface. IPv4 IPv4 portal configuration. Status of the portal authentication on the interface: • Portal disabled—Portal authentication is disabled. Status • Portal enabled—Portal authentication is enabled but is not functioning. •...

  • Page 179: Display Portal Server Statistics

    • Server Type CMCC—CMCC portal server. • IMC—HP IMC portal server. Current status of the portal server. Possible values include: • N/A—The server is not referenced on any interface, or the server detection function is not enabled. The reachability of the portal server is unknown.

  • Page 180

    Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.

  • Page 181

    NTF_AUTH ACK_NTF_AUTH REQ_QUERY_STATE ACK_QUERY_STATE RESERVED33 RESERVED35 Table 19 Command output Field Description Interface Interface referencing the portal server. Invalid packets Number of invalid packets. Pkt-Name Packet type. Total Total number of packets. Discard Number of discarded packets. Checkerr Number of erroneous packets. REQ_CHALLENGE Challenge request message the portal server sent to the access device.

  • Page 182: Display Portal Tcp-cheat Statistics

    Field Description NTF_CHALLENGE Challenge request the access device sent to the portal server. User information notification message the access device sent to the portal NTF_USER_NOTIFY server. NTF_USER_NOTIFY acknowledgment message the access device sent to AFF_NTF_USER_NOTIFY the portal server. Forced authentication notification message the portal server sent to the NTF_AUTH access device.

  • Page 183: Display Portal User

    Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 20 Command output Field Description TCP Cheat Statistic TCP spoofing statistics. Total Opens Total number of opened connections.

  • Page 184

    Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.

  • Page 185: Portal Auth-network

    Field Description User's working mode: • Primary. Work-mode • Secondary. • Stand-alone. VPN instance MPLS L3VPN to which the portal server belongs. MAC address of the portal user. IP address of the portal user. Vlan VLAN to which the portal user belongs. Interface Interface to which the portal user is attached.

  • Page 186: Portal Auth-network Destination

    authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users. You can configure multiple authentication source subnets by executing the portal auth-network command. The system supports up to 16 authentication source subnets and destination subnets. Examples # Configure a portal authentication source subnet of 10.10.10.0/24 on GigabitEthernet 3/0/1 to allow users from subnet 10.10.10.0/24 to trigger portal authentication.

  • Page 187: Portal Backup-group

    If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect. Examples # Configure a portal authentication destination subnet of 2.2.2.0/24 on GigabitEthernet 3/0/1, so that only users accessing subnet 2.2.2.0/24 trigger portal authentication on the interface. Users can access other subnets through the interface without portal authentication.

  • Page 188: Portal Delete-user

    Command 6602 HSR6602 6604/6608/6616 portal backup-group Examples # In the stateful failover networking environment, add the portal service backup interface GigabitEthernet 0/0/1 to portal group 1 on the source backup device. <Sysname> system-view [Sysname] interface gigabitethernet 0/0/1 [Sysname-GigabitEthernet0/0/1] portal backup-group 1 On the peer device (destination backup device), you must also add the corresponding service backup interface in to portal group 1.

  • Page 189: Portal Free-rule

    undo portal domain Default No authentication domain is specified for portal users on an interface. Views Interface view Default command level 2: System level Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist. Examples # Configure the authentication domain for IPv4 portal users on GigabitEthernet 3/0/1 as my-domain.

  • Page 190: Portal Max-user

    mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32. tcp tcp-port-number [ to tcp-port-number ]: Specifies a range of TCP port numbers.

  • Page 191: Portal Nas-id

    Views System view Default command level 2: System level Parameters max-number: Maximum number of online portal users allowed in the system. The following matrix shows the value range for the max-number argument on different 6600/HSR6600 routers: Argument 6602 HSR6602 6604/6608/6616 •...

  • Page 192: Portal Nas-id-profile

    Views Interface view, system view Default command level 2: System level Parameters nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters. This value is used as the value of the NAS-Identifier attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface.

  • Page 193: Portal Nas-ip

    If a NAS ID is configured using the portal nas-id command, the device uses the configured NAS ID • as that of the interface. If the interface has no NAS ID configured, the device uses the device name as the interface NAS ID. •...

  • Page 194: Portal Nas-port-type

    undo portal nas-port-id Default No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request. Views Interface view Default command level 2: System level Parameters nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters.

  • Page 195: Portal Redirect-url

    wireless: Specifies the access port type as IEEE 802.1 1 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless. Examples # Specify the NAS-Port-Type value of GigabitEthernet 3/0/1 as IEEE 802.1 1 standard wireless interface.

  • Page 196

    Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters. ip ip-address: Specifies the IP address of the portal server. In portal stateful failover environments, HP recommends specifying the virtual IP address of the VRRP group to which the downlink belongs as the portal server IP address.

  • Page 197: Portal Server Method

    For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text to the configuration file. Examples # Configure portal server pts, setting the IP address to 192.168.0.1 1 1, the key to portal in plain text, and the redirection URL to http://192.168.0.1 13/portal.

  • Page 198: Portal Server Server-detect

    Related commands display portal server portal server server-detect Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes.

  • Page 199

    log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a • portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server. •...

  • Page 200: Portal Server User-sync

    portal server user-sync Use portal server user-sync to configure portal user information synchronization with a specific portal server. When this function is configured, the device periodically checks and responds to the user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.

  • Page 201: Reset Portal Connection Statistics

    Examples # Configure the device to synchronize portal user information with portal server pts: Setting the synchronization probe interval to 600 seconds • • Specifying the device to log off users if information of the users does not exist in the user synchronization packets sent from the server in two consecutive probe intervals.

  • Page 202: Reset Portal Tcp-cheat Statistics

    reset portal tcp-cheat statistics Use reset portal tcp-cheat statistics to clear TCP spoofing statistics. Syntax reset portal tcp-cheat statistics Views User view Default command level 1: Monitor level Examples # Clear TCP spoofing statistics. <Sysname> reset portal tcp-cheat statistics...

  • Page 203: Port Security Configuration Commands

    Port security configuration commands The port security commands are available only for SAP modules that are operating in bridge mode. display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views...

  • Page 204

    RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet3/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0...

  • Page 205

    Field Description Disableport Timeout Silence timeout period of the port that receives illegal packets, in seconds. OUI value List of OUI values allowed. Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • Port mode secure. •...

  • Page 206: Display Port-security Mac-address Block

    Related commands port-security enable • port-security port-mode • • port-security ntk-mode port-security intrusion-mode • port-security max-mac-count • port-security mac-address security • port-security authorization ignore • • port-security oui port-security trap • display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses. Syntax display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]...

  • Page 207

    000f-3d80-0d2d GigabitEthernet3/0/1 --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses. <Sysname> display port-security mac-address block count --- On slot 2, no mac address found --- --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30.

  • Page 208: Display Port-security Mac-address Security

    Field Description VLAN ID ID of the VLAN to which the port belongs. On slot n, x mac address(es) found Number of blocked MAC addresses on slot n. x mac address(es) found Total number of blocked MAC addresses. Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses.

  • Page 209: Port-security Authorization Ignore

    2 mac address(es) found # Display only the count of the secure MAC addresses. <Sysname> display port-security mac-address security count This operation may take a few minutes, please wait..2 mac address(es) found # Display information about secure MAC addresses in VLAN 1. <Sysname>...

  • Page 210: Port-security Enable

    Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore Default A port uses the authorization information from the server. Views Ethernet interface view Default command level 2: System level Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account.

  • Page 211: Port-security Intrusion-mode

    Port security mode is noRestrictions. • You cannot disable port security when online users are present. Examples # Enable port security. <Sysname> system-view [Sysname] port-security enable Related commands display port-security • • dot1x dot1x port-method • dot1x port-control • mac-authentication •...

  • Page 212: Port-security Mac-address Aging-type Inactivity

    Examples # Configure port GigabitEthernet 3/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security intrusion-mode blockmac Related commands display port-security • display port-security mac-address block • port-security timer disableport •...

  • Page 213: Port-security Mac-address Dynamic

    port-security mac-address dynamic Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file. Use undo port-security mac-address dynamic to disable the dynamic secure MAC function. Then, all dynamic secure MAC addresses are converted to sticky MAC addresses, and you can manually configure sticky MAC address.

  • Page 214

    undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured.

  • Page 215: Port-security Max-mac-count

    Examples # Enable port security, set port GigabitEthernet 3/0/1 in autoLearn mode, and add a static secure MAC address 0001-0001-0002 in VLAN 10. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security max-mac-count 100 [Sysname-GigabitEthernet3/0/1] port-security port-mode autolearn [Sysname-GigabitEthernet3/0/1] quit [Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 3/0/1 vlan 10...

  • Page 216: Port-security Ntk-mode

    Usage guidelines In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port. The maximum number set by this command cannot be smaller than the current number of MAC addresses saved on the port. In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port.

  • Page 217: Port-security Oui

    Usage guidelines The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # Set the NTK mode of port GigabitEthernet 3/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.

  • Page 218: Port-security Port-mode

    Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default. Syntax port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } undo port-security port-mode Default...

  • Page 219

    Keyword Security mode Description Similar to the macAddressElseUserLoginSecure mode macAddressElseUserL mac-else-userlogin-secu except that a port in this mode supports multiple 802.1X re-ext oginSecureExt and MAC authentication users. In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands.

  • Page 220: Port-security Timer Autolearn Aging

    Examples # Enable port security and set port GigabitEthernet 3/0/1 in secure mode. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 3/0/1 to userLogin. [Sysname-GigabitEthernet3/0/1] undo port-security port-mode [Sysname-GigabitEthernet3/0/1] port-security port-mode userlogin Related commands display port-security...

  • Page 221: Port-security Trap

    Syntax port-security timer disableport time-value undo port-security timer disableport Default The silence period is 20 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300.

  • Page 222

    Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.

  • Page 223: User Profile Configuration Commands

    User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression.

  • Page 224: User-profile

    Syntax user-profile profile-name enable undo user-profile profile-name enable Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter.

  • Page 225

    Parameters profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. A user profile name must be globally unique. Examples # Create user profile a123.

  • Page 226: Password Control Configuration Commands

    Password control configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration information.

  • Page 227: Display Password-control Blacklist

    Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 26 Command output Field...

  • Page 228

    Views Any view Default command level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression.

  • Page 229: Password-control { Aging | Composition | History | Length } Enable

    Syntax password undo password Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password are from the following four types: Uppercase letters A to Z • Lowercase letters a to z •...

  • Page 230: Password-control Aging

    Views System view Default command level 2: System level Parameters aging: Enables the password aging function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines For these four functions to take effect, the password control feature must be enabled globally. You must enable a function for its relevant configurations to take effect.

  • Page 231: Password-control Alert-before-expire

    Default A password expires after 90 days globally. The password aging time of a user group equals the global setting. The password aging time of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level...

  • Page 232: Password-control Authentication-timeout

    undo password-control alert-before-expire Default A user is notified of pending password expiration 7 days before the user's password expires. Views System view Default command level 2: System level Parameters alert-time: Specifies the number of days before a user's password expires during which the user is notified of the pending password expiration.

  • Page 233: Password-control Complexity

    password-control complexity Use password-control complexity to configure the password complexity checking policy. Complexity-incompliant passwords will be refused. Use undo password-control complexity check to remove a password complexity checking item. Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check Default No user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively.

  • Page 234

    In FIPS mode, the global password composition policy is as follows: A password must contain four types of characters from uppercase letters, lowercase letters, digits and special characters, and each type contains at least one character. In both FIPS and non-FIPS mode, the password composition policy of a user group is the same as the global policy, and the password composition policy of a local user is the same as that of the user group to which the local user belongs.

  • Page 235: Password-control Enable

    password-control enable Use password-control enable to enable the password control feature globally. Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable Default The password control feature is disabled globally. Views System view Default command level 2: System level Usage guidelines...

  • Page 236: Password-control History

    Parameters delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10.

  • Page 237

    Default The global minimum password length is 10 characters. The minimum password length of a user group equals the global setting. The minimum password length of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level...

  • Page 238: Password-control Login Idle-time

    password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device. Use undo password-control login idle-time to restore the default. Syntax password-control login idle-time idle-time undo password-control login idle-time...

  • Page 239

    Parameters login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10. exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again.

  • Page 240: Password-control Password Update Interval

    display password-control blacklist • • reset password-control blacklist password-control password update interval Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords. Use undo password-control password update interval to restore the default. Syntax password-control password update interval interval undo password-control password update interval...

  • Page 241: Password-control Super Composition

    Views System view Default command level 2: System level Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Usage guidelines If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords.

  • Page 242: Password-control Super Length

    Usage guidelines If you do not specify a composition policy for super passwords, the system applies the global password composition policy to super passwords. If you have specified a composition policy for super passwords, the system applies the composition policy to super passwords. Examples # Specify that all super passwords must each contain at least three types of characters and each type contains at least five characters.

  • Page 243: Reset Password-control Blacklist

    reset password-control blacklist Use reset password-control blacklist to remove all or one user from the password control blacklist. Syntax reset password-control blacklist { all | user-name name } Views User view Default command level 3: Manage level Parameters all: Clears all users from the password control blacklist. user-name name: Specifies the user to be removed from the password control blacklist.

  • Page 244

    With the super keyword specified but the level argument not specified, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm). <Sysname> reset password-control history-record Are you sure to delete all local user's history records? [Y/N]:...

  • Page 245: Rsh Configuration Commands

    RSH configuration commands Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters.

  • Page 246

    2001-12-07 17:28 122,880 wrshdctl.exe 2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 4,803 wrshdnt_header.htm 2003-06-23 18:18 178 wrshdnt_filelist.xml 2003-06-22 11:13 156,472 wrshdnt.pdf 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe...

  • Page 247: Public Key Configuration Commands

    Public key configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.

  • Page 248: Display Public-key Peer

    Time of Key pair created: 19:59:17 2007/10/25 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2007/10/25 Key name: HOST_KEY...

  • Page 249

    Syntax display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Displays information about a peer public key.

  • Page 250: Peer-public-key End

    Field Description Key Code Public key data. # Display brief information about all locally saved peer public keys. <Sysname> display public-key peer brief Type Module Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 30 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits.

  • Page 251: Public-key-code Begin

    Default command level 2: System level Usage guidelines If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant. Examples # Enter public key code view and input the key.

  • Page 252: Public-key Local Create

    Usage guidelines The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key. Examples # Exit public key code view and save the configured public key.

  • Page 253: Public-key Local Destroy

    In FIPS mode, the DSA key modulus length is at least 1024 bits, and the RSA key modulus length must be 2048 bits. Examples # Create local RSA key pairs. <Sysname> system-view [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 254: Public-key Local Export Dsa

    Parameters dsa: DSA key pair. rsa: RSA key pair. Examples # Destroy the local RSA key pairs. <Sysname> system-view [Sysname] public-key local destroy rsa Warning: Confirm to destroy these keys? [Y/N]:y # Destroy the local DSA key pair. <Sysname> system-view [Sysname] public-key local destroy dsa Warning: Confirm to destroy these keys? [Y/N] :y Related commands...

  • Page 255: Public-key Local Export Rsa

    [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-20070625" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOL o2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 ---- END SSH2 PUBLIC KEY ---- # Display the local DSA host public key in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3...

  • Page 256: Public-key Peer

    Usage guidelines SSH1, SSH2.0 and OpenSSH are different public key formats for different requirements. Examples # Export the host public key of the local RSA key pairs in OpenSSH format to the file named key.pub. <Sysname> system-view [Sysname] public-key local export rsa openssh key.pub # Display the host public key of the local RSA key pairs in SSH2.0 format.

  • Page 257: Public-key Peer Import Sshkey

    Usage guidelines To manually configure the peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device: Execute the public-key peer command, and then the public-key-code begin command to enter public key code view.

  • Page 258

    Examples # Import the peer host public key named key2 from the public key file key.pub. <Sysname> system-view [Sysname] public-key peer key2 import sshkey key.pub Related commands display public-key peer...

  • Page 259: Pki Configuration Commands

    PKI configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name.

  • Page 260: Ca Identifier

    Usage guidelines The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute. Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. <Sysname>...

  • Page 261: Certificate Request From

    Use undo certificate request entity to remove the configuration. Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.

  • Page 262: Certificate Request Mode

    <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default...

  • Page 263: Certificate Request Polling

    Related commands pki request-certificate certificate request polling Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times.

  • Page 264: Common-name

    Default No URL is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution.

  • Page 265: Country

    country Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use undo country to remove the configuration. Syntax country country-code-str undo country Default No country code is specified. Views PKI entity view Default command level...

  • Page 266: Crl Update-period

    Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.

  • Page 267: Display Pki Certificate

    Default No CRL distribution point URL is specified. Views PKI domain view Default command level 2: System level Parameters url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.

  • Page 268

    regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the local certificate. <Sysname> display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.net C=CN ST=Country A...

  • Page 269: Display Pki Certificate Access-control-policy

    Field Description Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate. X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.

  • Page 270: Display Pki Certificate Attribute-group

    Table 32 Command output Field Description access-control-policy Name of the certificate attribute-based access control policy. rule number Number of the access control rule. display pki certificate attribute-group Use display pki certificate attribute-group to display information about one or all certificate attribute groups.

  • Page 271: Display Pki Crl Domain

    Field Description Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs. Syntax display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Views Any view...

  • Page 272: Fqdn

    Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:… Table 34 Command output Field Description Version Version of the CRL. Signature Algorithm Signature algorithm used by the CRLs.

  • Page 273: Ip (pki Entity View)

    Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address.

  • Page 274: Locality

    Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: Specifies the IP address of the LDAP server, in dotted decimal format. port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389.

  • Page 275: Organization

    organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters...

  • Page 276: Pki Certificate Access-control-policy

    Examples # Configure the name of the organization unit to which an entity belongs as group1. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization-unit group1 pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate attribute-based access control policy and enter its view.

  • Page 277: Pki Delete-certificate

    Views System view Default command level 2: System level Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.

  • Page 278: Pki Entity

    Default No PKI domain exists. Views System view Default command level 2: System level Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can create up to 32 PKI domains on a device. Examples # Create a PKI domain and enter its view.

  • Page 279: Pki Import-certificate

    pki import-certificate Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally. Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level...

  • Page 280: Pki Retrieval-certificate

    Views System view Default command level 2: System level Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.

  • Page 281: Pki Retrieval-crl Domain

    local: Obtains the local certificate. domain-name: Name of the PKI domain used for certificate request. Examples # Obtain the CA certificate from the certificate issuing server. <Sysname> system-view [Sysname] pki retrieval-certificate ca domain 1 Related commands pki domain pki retrieval-crl domain Use pki retrieval-crl domain to obtain the latest CRLs from the server for CRL distribution.

  • Page 282: Root-certificate Fingerprint

    Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked.

  • Page 283: Rule (pki Cert Acp View)

    # Configure a SHA1 fingerprint for verifying the validity of the CA root certificate. [Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all }...

  • Page 284

    Syntax state state-name undo state Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included.

  • Page 285: Ipsec Configuration Commands

    IPsec configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.

  • Page 286: Connection-name

    connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level...

  • Page 287: Display Ipsec Policy

    Parameters Specifies an interface card by its slot number. The following matrix shows the slot slot-number option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number Examples # Enable the encryption engine. <Sysname> system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies.

  • Page 288

    <Sysname> display ipsec policy brief IPsec Policy Name Mode IKE Peer Name Mapped Template ------------------------------------------------------------------------ bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa man-1 manual 3400 map-1 isakmp 3000 peer nat-1 isakmp 3500 test-1 isakmp 3200 test toccccc-1 isakmp 3003 tocccc IPsec Policy Name Mode Local Address Remote Address ------------------------------------------------------------------------...

  • Page 289

    synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: False =========================================== IPsec Policy Group: "policy_man" Interface: GigabitEthernet3/0/2 =========================================== ----------------------------------------- IPsec policy name: "policy_man" sequence number: 10 acl version: ACL4 mode: manual...

  • Page 290

    IPsec policy name: "policy001" sequence number: 10 acl version: None mode: manual ----------------------------- encapsulation mode: tunnel security data flow : tunnel local address: tunnel remote address: transform-set name: prop1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: ****** inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key:...

  • Page 291: Display Ipsec Policy-template

    Field Description Name of the protocol to which the IPsec policy is applied. (This Protocol field is not displayed when the IPsec policy is not applied to any routing protocol.) sequence number Sequence number of the IPsec policy. Negotiation mode of the IPsec policy: •...

  • Page 292

    Parameters brief: Displays brief information about all IPsec policy templates. name: Displays detailed information about a specified IPsec policy template or IPsec policy template group. template-name: Name of the IPsec policy template, a string of 1 to 41 characters. seq-number: Sequence number of the IPsec policy template, in the range 1 to 10000. |: Filters command output by specifying a regular expression.

  • Page 293: Display Ipsec Profile

    ACL’s Version: acl4 ike-peer name: PFS: N transform-set name: testprop IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes Table 38 Command output Field Description IPsec packet encapsulation mode: • tunnel—Tunnel mode. encapsulation mode • transport—Transport mode.

  • Page 294

    exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays the configuration information of all IPsec profiles.

  • Page 295: Display Ipsec Sa

    Table 39 Command output Field Description Interface Interface that references the IPsec profile. Encapsulation mode for the IPsec profile: • encapsulation mode dvpn—DVPN tunnel mode. • tunnel—IPsec tunnel mode. ACL referenced by the IPsec profile. security data flow As an IPsec profile does not reference any ACL, no information is displayed for this field.

  • Page 296

    |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 297

    PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs] spi: 0xd47b1ac1(3564837569) transform: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Enabled...

  • Page 298

    in use setting: Transport connection id: 3 No duration limit for this sa [outbound AH SAs] spi: 0x12d683 (1234563) transform: AH-MD5HMAC96 in use setting: Transport connection id: 4 No duration limit for this sa =============================== Interface: GigabitEthernet1/0/1 path MTU: 1500 =============================== ----------------------------- IPsec policy name: "r2"...

  • Page 299

    spi: 0x2FC8FD45(801701189) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 7 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Disabled udp encapsulation used for nat traversal: N/A status: active spi: 0xBC1D46C4(3156035268) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 8 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686...

  • Page 300: Display Ipsec Statistics

    Field Description Security parameter index. transform Security protocol and algorithms used by the IPsec transform set. in use setting IPsec SA attribute setting: transport or tunnel. connection id IPsec tunnel identifier. sa duration Lifetime of the IPsec SA. sa remaining duration Remaining lifetime of the SA.

  • Page 301

    Examples # Display statistics for all IPsec packets. <Sysname> display ipsec statistics the security packet statistics: input/output security packets: 47/62 input/output security bytes: 3948/5208 input/output dropped security packets: 0/45 dropped security packet detail: not enough memory: 0 can't find SA: 45 queue is full: 0 authentication has failed: 0 wrong length: 0...

  • Page 302: Display Ipsec Transform-set

    Field Description can't find SA Number of packets dropped due to finding no security association. queue is full Number of packets dropped due to full queues. authentication has failed Number of packets dropped due to authentication failure. wrong length Number of packets dropped due to wrong packet length. replay packet Number of packets replayed.

  • Page 303: Display Ipsec Tunnel

    ESN : disable ESN scheme: NO transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des IPsec transform-set name: tran2 encapsulation mode: transport transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des Table 43 Command output Field Description IPsec transform-set name Name of the IPsec transform set. encapsulation mode Encapsulation mode used by the IPsec transform set, transport or tunnel.

  • Page 304

    Examples # Display information about IPsec tunnels. <Sysname> display ipsec tunnel total tunnel : 2 ------------------------------------------------ connection id: 3 perfect forward secrecy: SA's SPI: inbound: 187199087 (0xb286e6f) [ESP] outbound: 3562274487 (0xd453feb7) [ESP] tunnel: local address: 44.44.44.44 remote address : 44.44.44.55 flow: sour addr : 44.44.44.0/255.255.255.0 port: 0...

  • Page 305: Encapsulation-mode

    Field Description tunnel Local and remote addresses of the tunnel. Data flow protected by the IPsec tunnel, including source IP address, flow destination IP address, source port, destination port and protocol. as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001. encapsulation-mode Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

  • Page 306: Esp Encryption-algorithm

    Syntax esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm Default In FIPS mode, ESP uses the SHA- 1 authentication algorithm. In non-FIPS mode, ESP uses no authentication algorithm. Views IPsec transform set view Default command level 2: System level Parameters md5: Uses the MD5 algorithm, which uses a 128-bit key.

  • Page 307: Ike-peer (ipsec Policy View/ipsec Policy Template View/ipsec Profile View)

    In non-FIPS mode, ESP uses no encryption algorithm. Views IPsec transform set view Default command level 2: System level Parameters 3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key. This keyword is not supported in FIPS mode. aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128- bit key.

  • Page 308: Ipsec Anti-replay Check

    Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Examples # Configure a reference to an IKE peer in an IPsec policy. <Sysname>...

  • Page 309: Ipsec Decrypt Check

    Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The size of the anti-replay window is 32. Views System view Default command level 2: System level Parameters width: Size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024. Usage guidelines Your configuration affects only IPsec SAs negotiated later.

  • Page 310: Ipsec Fragmentation Before-encryption

    ipsec fragmentation before-encryption Use ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation before encryption. Use undo ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation after encryption. Syntax ipsec fragmentation before-encryption enable undo ipsec fragmentation before-encryption enable Default IPsec packet fragmentation before encryption is enabled. Views System view Default command level...

  • Page 311: Ipsec Policy (interface View)

    Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs. Views System view Default command level 2: System level Usage guidelines Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI.

  • Page 312: Ipsec Policy (system View)

    Examples # Apply IPsec policy group pg1 to interface Serial 2/1/2. <Sysname> system-view [Sysname] interface serial 2/1/2 [Sysname-Serial2/1/2] ipsec policy pg1 Related commands ipsec policy (system view) ipsec policy (system view) Use ipsec policy to create an IPsec policy and enter its view. Use undo ipsec policy to delete the specified IPsec policies.

  • Page 313: Ipsec Policy Isakmp Template

    Examples # Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation. <Sysname> system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] # Create an IPsec policy with the name policy1 and specify the manual mode for it. <Sysname>...

  • Page 314: Ipsec Policy-template

    ipsec policy-template • Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1. <Sysname> system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 ipsec policy-template Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view. Use undo ipsec policy-template to delete the specified IPsec policy templates.

  • Page 315: Ipsec Profile (tunnel Interface View)

    Use undo ipsec profile to delete an IPsec profile. Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists. Views System view Default command level 2: System level Parameters profile-name: Name for the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces.

  • Page 316: Ipsec Sa Global-duration

    Parameters profile-name: Name of the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines Only one IPsec profile can be applied to a tunnel interface. To apply another IPsec profile to the tunnel interface, remove the original application first. An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface simultaneously.

  • Page 317: Ipsec Transform-set

    Usage guidelines When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime. When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.

  • Page 318

    Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy or IPsec profile to initiate a negotiation. Use undo pfs to remove the configuration. Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs Default The PFS feature is not used for negotiation.

  • Page 319: Policy Enable

    policy enable Use policy enable to enable the IPsec policy. Use undo policy enable to disable the IPsec policy. Syntax policy enable undo policy enable Default The IPsec policy is enabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies.

  • Page 320: Reset Ipsec Sa

    Usage guidelines With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec. Examples # Enable packet information pre-extraction. <Sysname>...

  • Page 321: Reset Ipsec Statistics

    IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared. If you do not specify any parameter, the command clears all IPsec SAs. Examples # Clear all IPsec SAs.

  • Page 322

    Syntax reverse-route [ remote-peer ip-address [ gateway | static ] | static ] undo reverse-route Default IPsec RRI is disabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references.

  • Page 323

    Table 45 Possible IPsec RRI configurations and the generated routing information IPsec RRI Command Route destination Next hop address mode • Manual IPsec policy: Peer tunnel address set with the tunnel remote Destination IP address command. specified in a permit rule of reverse-route static Static •...

  • Page 324

    [Sysname-ipsec-policy-isakmp-1-1] security acl 3000 [Sysname-ipsec-policy-isakmp-1-1] transform-set tran1 [Sysname-ipsec-policy-isakmp-1-1] ike-peer 1 [Sysname-ipsec-policy-isakmp-1-1] reverse-route static [Sysname-ipsec-policy-isakmp-1-1] quit [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] ipsec policy 1 [Sysname-GigabitEthernet3/0/1]quit # Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.) [Sysname] display ip routing-table Destination/Mask...

  • Page 325: Reverse-route Preference

    # Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private network 3.0.0.0/24 via the remote tunnel endpoint 1.1.1.2, and the other to the remote tunnel endpoint via 1.1.1.3. [Sysname]ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 gateway # Display the routing table.

  • Page 326: Reverse-route Tag

    Related commands reverse-route reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag...

  • Page 327

    undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH.

  • Page 328: Sa Duration

    sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.

  • Page 329: Sa Encryption-hex

    [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration time-based 7200 # Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes). <Sysname> system-view [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 sa encryption-hex Use sa encryption-hex to configure an encryption key for an SA. Use undo sa encryption-hex to remove the configuration.

  • Page 330

    At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel.

  • Page 331: Sa String-key

    Within a certain network scope, each router must use the same SPI and keys for its inbound and • outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process.

  • Page 332: Security Acl

    Usage guidelines This command applies to only manual IPsec policies. This command is not available in FIPS mode. When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs. The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

  • Page 333

    Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters ipv6: Specifies an IPV6 ACL. acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999. aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used.

  • Page 334: Transform

    transform Use transform to specify a security protocol for an IPsec transform set. Use undo transform to restore the default. Syntax transform { ah | ah-esp | esp } undo transform Default The ESP protocol is used. Views IPsec transform set view Default command level 2: System level Parameters...

  • Page 335: Tunnel Local

    Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters transform-set-name&<1-6>: Name of the IPsec transform set, a string of 1 to 32 characters. &<1-6> means that you can specify up to six transform sets, which are separated by space. Usage guidelines The specified IPsec transform sets must already exist.

  • Page 336: Tunnel Remote

    Default No local address is configured for an IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. ip-address: Local address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. The local address, if not configured, will be the address of the interface to which the IPsec policy is applied.

  • Page 337

    ip-address: Remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. If you execute this command multiple times, the most recent configuration takes effect. An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end.

  • Page 338: Ike Configuration Commands

    IKE configuration commands authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm Default An IKE proposal uses the SHA- 1 authentication algorithm. Views IKE proposal view Default command level...

  • Page 339: Certificate Domain

    Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method. <Sysname> system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] authentication-method pre-share Related commands ike proposal...

  • Page 340: Display Ike Dpd

    Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, group2 (1024-bit Diffie-Hellman group) is used.

  • Page 341: Display Ike Peer

    Parameters dpd-name: DPD name, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.

  • Page 342: Display Ike Proposal

    |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 343

    Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.

  • Page 344: Display Ike Sa

    • • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...

  • Page 345

    Table 49 Command output Field Description total phase-1 SAs Total number of SAs for phase 1. connection-id Identifier of the ISAKMP SA. peer Remote IP address of the SA. Status of the SA: • RD (READY)—The SA has been established. •...

  • Page 346

    remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the connection ID of 2. <Sysname> display ike sa verbose connection-id 2 --------------------------------------------- vpn-instance: 1 transmitting entity: initiator --------------------------------------------- local id type: IPV4_ADDR local id: 4.4.4.4 remote id type: IPV4_ADDR...

  • Page 347

    authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO Table 50 Command output Field Description vpn-instance MPLS L3VPN that the protected data belongs to. transmitting entity Entity in the IKE negotiation. local id type Identifier type of the local gateway.

  • Page 348: Encryption-algorithm

    Default No DPD detector is applied to an IKE peer. Views IKE peer view Default command level 2: System level Parameters dpd-name: DPD detector name, a string of 1 to 32 characters. Examples # Apply dpd1 to IKE peer peer1. <Sysname>...

  • Page 349: Exchange-mode

    When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends setting the IKE negotiation mode to aggressive at the local end.

  • Page 350

    Syntax id-type { ip | name | user-fqdn } undo id-type Default The ID type is IP address. Views IKE peer view Default command level 2: System level Parameters ip: Uses an IP address as the ID during IKE negotiation. name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.

  • Page 351: Ike Local-name

    Views System view Default command level 2: System level Parameters dpd-name: Name for the DPD detector, a string of 1 to 32 characters. Usage guidelines DPD irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

  • Page 352: Ike Next-payload Check Disabled

    Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.

  • Page 353: Ike Peer (system View)

    ike peer (system view) Use ike peer to create an IKE peer and enter IKE peer view. Use undo ike peer to delete an IKE peer. Syntax ike peer peer-name undo ike peer peer-name Views System view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters.

  • Page 354: Ike Sa Keepalive-timer Interval

    Setting Non-FIPS mode FIPS mode Authentication HMAC-SHA1 algorithm Authentication method Pre-shared key Pre-shared key DH group MODP_768 MODP_1024 SA lifetime 86400 seconds 86400 seconds Examples # Create IKE proposal 10 and enter IKE proposal view. <Sysname> system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] Related commands display ike proposal...

  • Page 355: Ike Sa Keepalive-timer Timeout

    ike sa keepalive-timer timeout Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout. Use undo ike sa keepalive-timer timeout to disable the function. Syntax ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout Default No keepalive packet is sent. Views System view Default command level...

  • Page 356: Interval-time

    Default command level 2: System level Parameters seconds: NAT keepalive interval in seconds, in the range 5 to 300. Examples # Set the NAT keepalive interval to 5 seconds. <Sysname> system-view [Sysname] ike sa nat-keepalive-timer interval 5 interval-time Use interval-time to set the DPD query triggering interval for a DPD detector. Use undo interval-time to restore the default.

  • Page 357: Local-address

    Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.

  • Page 358: Local-name

    [Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default. Syntax local-name name undo local-name Default The device name is used as the name of the local security gateway view. Views IKE peer view Default command level...

  • Page 359: Peer

    Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1. <Sysname> system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] nat traversal peer Use peer to set the subnet type of the peer security gateway for IKE negotiation.

  • Page 360: Pre-shared-key

    pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key Views IKE peer view Default command level 2: System level Parameters cipher: Sets a ciphertext pre-shared key.

  • Page 361: Remote-address

    Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority.

  • Page 362: Remote-name

    low-ip-address: IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses. high-ip-address: Highest address in the address range if you want to specify a range of addresses. Usage guidelines The IP address configured with the remote-address command must match the local security gateway IP address that the remote security gateway uses for IKE negotiation, which is the IP address configured with...

  • Page 363: Reset Ike Sa

    Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.

  • Page 364

    <Sysname> display ike sa total phase-1 SAs: connection-id peer flag phase ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO——TIMEOUT RK--REKEY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal. Use undo sa duration to restore the default.

  • Page 365

    Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: DPD packet retransmission interval in seconds, in the range 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.

  • Page 366: Ssh Configuration Commands

    SSH configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.

  • Page 367

    Table 51 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval.

  • Page 368: Display Ssh User-information

    display ssh user-information Use display ssh user-information on an SSH server to display information about SSH users. Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters.

  • Page 369: Sftp Server Enable

    Related commands ssh user sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled. Views System view Default command level...

  • Page 370: Ssh Server Authentication-retries

    Parameters time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be properly released.

  • Page 371: Ssh Server Authentication-timeout

    [Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. If a user does not finish the authentication when the timer expires, the connection is down. Use undo ssh server authentication-timeout to restore the default.

  • Page 372: Ssh Server Enable

    Views System view Default command level 3: Manage level Usage guidelines The configuration takes effect only for the clients at next login. Examples # Enable the SSH server to support SSH1 clients. <Sysname> system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate...

  • Page 373: Ssh User

    Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The update interval of the RSA server key is 0. That is, the system does not update the RSA server key pairs. Views System view Default command level 3: Manage level Parameters hours: Specifies an interval for updating the server key pair in hours, in the range of 1 to 24.

  • Page 374

    Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user: all: Specifies Stelnet, SFTP, and SCP. • scp: Specifies the service type as SCP. • • sftp: Specifies the service type as SFTP. stelnet: Specifies the service type of Stelnet.

  • Page 375: Ssh Client Configuration Commands

    publickey authentication or using both publickey authentication and password authentication, the working folder is the one set by using the ssh user command. Examples # Create an SSH user named user1, setting the service type as sftp, the authentication method as publickey, assigning a public key named key1 to the client, and the work folder of the SFTP server as cfa0: <Sysname>...

  • Page 376: Cdup

    Default command level 3: Manage level Parameters remote-path: Specifies a path on the server. If you do not specify this argument, the command displays the current working path. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system.

  • Page 377

    Parameters remote-file&<1- 1 0>: Specifies one or more files to delete on the server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Usage guidelines This command functions as the remove command. Examples # Delete file temp.c from the server.

  • Page 378: Display Sftp Client Source

    -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 display sftp client source Use display sftp client source to display the source IP address or source interface set for the SFTP client.

  • Page 379: Display Ssh Server-info

    Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.

  • Page 380: Exit

    When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client. Examples # Display the mappings between SSH servers and their host public keys on the client.

  • Page 381: Help

    Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. Usage guidelines If you do not specify the local-file argument, the file will be saved locally with the same name as that on the SFTP server.

  • Page 382: Mkdir

    Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the filenames and the folder names of the specified directory. -l: Displays in a list form detailed information of the files and folders of the specified directory. remote-path: Specifies the directory to be queried.

  • Page 383

    Examples # Create a directory named test on the SFTP server. sftp-client> mkdir test New directory created Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Default command level 3: Manage level Parameters local-file: Specifies the name of a local file.

  • Page 384: Quit

    quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server.

  • Page 385: Rename

    File successfully Removed rename Use rename to change the name of a specified file or directory on an SFTP server. Syntax rename oldname newname Views SFTP client view Default command level 3: Manage level Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory.

  • Page 386

    Syntax In non-FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *...

  • Page 387: Sftp

    prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode. md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode. •...

  • Page 388

    Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher...

  • Page 389: Sftp Client Ipv6 Source

    prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode, and is dh-group14 in FIPS mode. dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. • This keyword is not available in FIPS mode. dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.This keyword is not •...

  • Page 390: Sftp Client Source

    Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.

  • Page 391: Sftp Ipv6

    Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.

  • Page 392

    rsa: Specifies the public key algorithm rsa. • prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. • prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. 3des: Specifies the encryption algorithm 3des-cbc.

  • Page 393: Ssh Client Authentication Server

    The preferred client-to-server HMAC algorithm is sha1-96. • • The preferred key exchange algorithm is dh-group14. The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96. • Examples # Connect to server 2:5::8:9, using the following connection scheme: The preferred key exchange algorithm: dh-group1.

  • Page 394: Ssh Client First-time Enable

    <Sysname> system-view [Sysname] ssh client authentication server 192.168.0.1 assign publickey key1 Related commands ssh client first-time enable ssh client first-time enable Use ssh client first-time enable to enable the first-time authentication function. Use undo ssh client first-time to disable the function. Syntax ssh client first-time enable undo ssh client first-time...

  • Page 395: Ssh Client Source

    Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.

  • Page 396: Ssh2

    Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.

  • Page 397

    prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm zlib@openssh.com. • prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. •...

  • Page 398: Ssh2 Ipv6

    The preferred key exchange algorithm is dh-group14. • • The preferred server-to-client encryption algorithm is aes128. The preferred server-to-client HMAC algorithm is sha1-96. • Examples # Log in to Stelnet server 10.214.50.51, using the following connection scheme: • The preferred key exchange algorithm: dh-group1. The preferred server-to-client encryption algorithm: aes128.

  • Page 399

    prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. • prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. •...

  • Page 400

    The preferred key exchange algorithm is dh-group14. • • The preferred server-to-client encryption algorithm is aes128. The preferred server-to-client HMAC algorithm is sha1-96. • Examples # Log in to Stelnet server 2000::1, using the following connection scheme: • The preferred key exchange algorithm: dh-group1. The preferred server-to-client encryption algorithm: aes128.

  • Page 401: Ssl Configuration Commands

    SSL configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The following matrix shows the commands and router compatibility: Command 6602...

  • Page 402: Client-verify Enable

    rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA. rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5. rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.

  • Page 403: Client-verify Weaken

    <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] client-verify enable Related commands client-verify weaken • display ssl server-policy • client-verify weaken Use client-verify weaken to enable SSL client weak authentication. Use undo client-verify weaken to restore the default. Syntax client-verify weaken undo client-verify weaken Default SSL client weak authentication is disabled.

  • Page 404: Close-mode Wait

    close-mode wait Use close-mode wait to set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client. Use undo close-mode wait to restore the default.

  • Page 405: Display Ssl Server-policy

    exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about SSL client policy policy1. <Sysname>...

  • Page 406: Handshake Timeout

    Examples # Display information about SSL server policy policy1. <Sysname> display ssl server-policy policy1 SSL Server Policy: policy1 PKI Domain: domain1 Ciphersuite: RSA_RC4_128_MD5 RSA_RC4_128_SHA RSA_DES_CBC_SHA RSA_3DES_EDE_CBC_SHA RSA_AES_128_CBC_SHA RSA_AES_256_CBC_SHA Handshake Timeout: 3600 Close-mode: wait disabled Session Timeout: 3600 Session Cachesize: 500 Client-verify: disabled Client-verify weaken: disabled Table 56 Command output...

  • Page 407: Pki-domain

    Syntax handshake timeout time undo handshake timeout Default The handshake timeout time is 3600 seconds. Views SSL server policy view Default command level 2: System level Parameters time: Handshake timeout time in seconds. The value range is 180 to 7200. Usage guidelines If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process.

  • Page 408: Prefer-cipher

    Usage guidelines If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a certificate for itself rather than obtaining one from a CA server. Examples # Configure SSL server policy policy1 to use PKI domain server-domain. <Sysname>...

  • Page 409: Server-verify Enable

    rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

  • Page 410: Session

    Related commands display ssl client-policy session Use session to set the maximum number of cached sessions and the caching timeout time. Use undo session to restore the default. Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * Default The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds.

  • Page 411: Ssl Server-policy

    Syntax ssl client-policy policy-name undo ssl client-policy { policy-name | all } Views System view Default command level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all. all: Specifies all SSL client policies.

  • Page 412: Version

    <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] Related commands display ssl server-policy version Use version to specify the SSL protocol version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0...

  • Page 413: Ssl Vpn Configuration Commands

    SSL VPN configuration commands The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 SSL VPN commands Yes on routers with MCP MPU ssl-vpn enable Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. Syntax ssl-vpn enable undo ssl-vpn enable...

  • Page 414

    Use undo ssl-vpn server-policy to restore the default. Syntax ssl-vpn server-policy server-policy-name [ port port-number ] undo ssl-vpn server-policy Default No SSL server policy is specified for the SSL VPN service. Views System view Default command level 2: System level Parameters server-policy-name: Name of the SSL server policy, a case-insensitive string of 1 to 16 characters.

  • Page 415: Firewall Configuration Commands

    Firewall configuration commands Packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view...

  • Page 416: Display Firewall-statistics

    Table 57 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. Indicates that an IPv6 ACL is configured in the inbound direction In-bound Policy of the interface. Indicates that an IPv6 ACL is configured in the outbound Out-bound Policy direction of the interface.

  • Page 417: Firewall Default

    exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display packet filtering statistics on all interfaces. <Sysname>...

  • Page 418: Firewall Ipv6 Default

    Syntax firewall enable { all | slot slot-number } undo firewall enable Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Parameters all: Specifies that the configuration applies to all interface cards. slot slot-number: Specifies that the configuration applies to the interface card in the specified slot. The following matrix shows the all keyword, the slot slot-number option, and hardware compatibility: Hardware Compatibility...

  • Page 419: Firewall Ipv6 Enable

    Examples # Specify the default filtering action of the IPv6 firewall as denying packets to pass. <Sysname> system-view [Sysname] firewall ipv6 default deny firewall ipv6 enable Use firewall ipv6 enable to enable the IPv6 firewall function. Use undo firewall ipv6 enable to disable the IPv6 firewall function. Syntax firewall ipv6 enable undo firewall ipv6 enable...

  • Page 420: Firewall Packet-filter Ipv6

    name acl-name: Specifies the name of a basic or advanced IPv4 ACL; a case-insensitive string of 1 to 63 characters that must start with an English letter a to z or A to Z. To avoid confusion, the word "all" cannot be used as the ACL name.

  • Page 421: Reset Firewall Ipv6 Statistics

    [Sysname-GigabitEthernet3/0/1] firewall packet-filter ipv6 2500 outbound reset firewall ipv6 statistics Use reset firewall ipv6 statistics to clear the packet filtering statistics of the IPv6 firewall. Syntax reset firewall ipv6 statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters...

  • Page 422: Aspf Configuration Commands

    ASPF configuration commands aspf-policy Use aspf-policy to create an ASPF policy and enter its view. Use undo aspf-policy to remove an ASPF policy. Syntax aspf-policy aspf-policy-number undo aspf-policy aspf-policy-number Views System view Default command level 2: System level Parameters aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99. Usage guidelines A defined ASPF policy can be applied through its policy number.

  • Page 423: Display Aspf Interface

    regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about all ASPF policies. <Sysname> display aspf all [ASPF Policy Configuration] Policy Number 1: icmp-error drop tcp syn-check Policy Number 2: undo icmp-error drop undo tcp syn-check [Interface Configuration] Interface...

  • Page 424: Display Aspf Policy

    Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 425: Display Port-mapping

    <Sysname> display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: icmp-error drop tcp syn-check Table 60 Command output Field Description [ASPF Policy Configuration] ASPF policy configuration information. Policy Number ASPF policy number. icmp-error drop Drop ICMP error messages. Drop non-SYN packet that is the first packet over a tcp syn-check TCP connection.

  • Page 426: Firewall Aspf

    h323 1720 system defined http system defined rtsp system defined smtp system defined system defined https system defined 18000 system defined system defined Table 61 Command output Field Description SERVICE Application layer protocol that is mapped to a port. PORT Number of the port for the application layer protocol.

  • Page 427: Icmp-error Drop

    icmp-error drop Use icmp-error drop to specify to drop ICMP error messages. Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default ICMP error messages are not dropped. Views ASPF policy view Default command level 2: System level Examples # Configure ASPF policy 1 to drop ICMP error messages.

  • Page 428: Tcp Syn-check

    acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999. Examples # Map port 3456 to the FTP protocol. <Sysname> system-view [Sysname] port-mapping ftp port 3456 Related commands display port-mapping tcp syn-check Use tcp syn-check to specify to drop any non-SYN packet that is the first packet over a TCP connection.

  • Page 429: Alg Configuration Commands

    ALG configuration commands Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled for all protocols.

  • Page 430

    # Disable ALG for DNS. <Sysname> system-view [Sysname] undo alg dns...

  • Page 431: Session Management Commands

    Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols vary with device models.

  • Page 432: Display Application Aging-time

    display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.

  • Page 433: Display Session Hardware

    Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.

  • Page 434: Display Session Relation-table

    Syntax display session hardware slot slot-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters slot slot-number: Displays the session count on the specified card. The slot-number argument represents the number of the slot where the card resides.

  • Page 435

    Parameters slot slot-number: Displays the relationship table entries on the specified card. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 HSR6602 6604/6608/6616 |: Filters command output by specifying a regular expression.

  • Page 436: Display Session Statistics

    Field Description Remaining lifetime of the relationship table entry, in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions. Syntax display session statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views...

  • Page 437

    Current TCP session(s): 0 Half-Open: 0 Half-Close: 0 Current UDP session(s): 593951 Current ICMP session(s): 0 Current RAWIP session(s): 0 Current relation table(s): 50000 Session establishment rate: 184503/s Session establishment rate: Session establishment rate: 184503/s ICMP Session establishment rate: RAWIP Session establishment rate: Received TCP:...

  • Page 438: Display Session Table

    Field Description Dropped TCP Counts of dropped TCP packets and bytes. Dropped UDP Counts of dropped UDP packets and bytes. Dropped ICMP Counts of dropped ICMP packets and bytes. Dropped RAWIP Counts of dropped Raw IP packets and bytes. display session table Use display session table to display information about sessions.

  • Page 439

    If no slot number is specified, the command displays the sessions on all cards. If multiple keywords are specified, the command displays the sessions that match all these criteria. This command is not supported by the SPE-FWM-200, SPE-IPS-200, SPE-ACG-200, and FIP600 cards. Examples # Display brief information about all sessions.

  • Page 440: Reset Session

    Total find: 2 Table 66 Command output Field Description Initiator: Session information of the initiator. Responder: Session information of the responder. Transport layer protocol, TCP, UDP, ICMP, or Raw IP.. MPLS L3VPN that the session belongs to and the VLAN VPN-Instance/VLAN ID/VLL ID and INLINE that the session belongs to during Layer 2 forwarding.

  • Page 441: Reset Session Statistics

    Views User view Default command level 2: System level Parameters slot slot-number: Clears the sessions on the specified card. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602...

  • Page 442: Session Aging-time

    Default command level 2: System level Parameters slot slot-number: Clears the session statistics on the specified card. The slot-number argument specifies the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 HSR6602 6604/6608/6616...

  • Page 443: Session Checksum

    rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state. rawip-ready: Specifies the aging timer for the sessions in the RAWIP_READY state. syn: Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state. tcp-est: Specifies the aging timer for the TCP sessions in the ESTABLISHED state. udp-open: Specifies the aging timer for the UDP sessions in the OPEN state.

  • Page 444: Session Early-ageout

    Default command level 2: System level Parameters all: Enables checksum verification for TCP, UDP, and ICMP packets. icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets. Examples # Enable checksum verification for UDP packets. <Sysname>...

  • Page 445: Session Log Bytes-active

    If the difference between the session aging time and the value specified by the shorten-time argument is less than 5 seconds, the session aging time becomes 5 seconds. Examples # Configure the session aging time to shorten by 100 seconds when the session ratio exceeds 80 percent, and to restore the normal values when the session ratio equals or drops below 20 percent.

  • Page 446: Session Log Packets-active

    Default command level 2: System level Parameters acl acl-number: Specifies the ACL to be used to match sessions for logging. The value range for the acl-number argument is 2000 to 3999. Inbound: Specifies session logs in the inbound direction. outbound: Specifies session logs in the outbound direction. Usage guidelines If you do not specify the acl acl-number option, the command enables session logging for all sessions on the interface.

  • Page 447: Session Log Time-active

    Examples # Set the packet count threshold for session logging to 10 mega-packets. <Sysname> system-view [Sysname] session log packets-active 10 session log time-active Use session log time-active to set the holdtime threshold for session logging. Use undo session log time-active to remove the setting. Syntax session log time-active time-value undo session log time-active...

  • Page 448: Session Persist Acl

    Parameters max-entries: Specifies the maximum number of sessions. The value range is 1 to 10000000. slot slot-number: Specifies a slot. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 HSR6602 6604/6608/6616 Usage guidelines For distributed devices, you can set the maximum number of sessions based on slots. The maximum number should not exceed the session count specification of a device or a card.

  • Page 449

    A persistent session rule can reference only one ACL. Examples # Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours. <Sysname> system-view [Sysname] session persist acl 2000 aging-time 72 Related commands reset session...

  • Page 450: Connection Limit Configuration Commands

    Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level...

  • Page 451: Display Connection-limit Policy

    Default command level 2: System level Parameters policy-number: Specifies the number of a connection limit policy. The value is 0. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy.

  • Page 452: Limit

    limit 0 source ip 3.3.3.0 24 source-vpn vpn1 destination ip any protocol tcp max-connections 200 per-source Table 67 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 0, 1 limits Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy.

  • Page 453

    The connection limit rules in a policy are matched in ascending order of rule ID. Take the match order into consideration when assigning the rules IDs. HP recommends that you arrange the rule by limit granularity and limit range in ascending order.

  • Page 454: Web Filtering Configuration Commands

    Web filtering configuration commands display firewall http activex-blocking Use display firewall http activex-blocking to display information about ActiveX blocking. Syntax display firewall http activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view...

  • Page 455: Display Firewall Http Java-blocking

    ---------------------------------------------- .OCX .vbs Table 68 Command output Field Description Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. <Sysname> display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured.

  • Page 456: Display Firewall Http Url-filter Host

    Examples # Display brief information about Java blocking. <Sysname> display firewall http java-blocking Java blocking is enabled. # Display Java blocking information for a specific suffix keyword. <Sysname> display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords.

  • Page 457

    item keywords: Specifies a filtering keyword, The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). For meanings and usage guidelines of the wildcards, see the relevant description for command firewall http url-filter host url-address.

  • Page 458: Display Firewall Http Url-filter Parameter

    Table 71 Command output Field Description Default method Default URL address filtering action, permit or deny. The support for IP address Support for website IP addresses, permit or deny. display firewall http url-filter parameter Use display firewall http url-filter parameter to display information about URL parameter filtering. Syntax display firewall http url-filter parameter [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ]...

  • Page 459: Firewall Http Activex-blocking Acl

    # Display URL parameter filtering information for all keywords. <Sysname> display firewall http url-filter parameter all Match-Times Keywords ---------------------------------------------- ^select$ ^insert$ ^update$ ^delete$ ^drop$ ‘ ^exec$ qqqqq Table 72 Command output Field Description Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword.

  • Page 460: Firewall Http Activex-blocking Enable

    Usage guidelines After the command takes effect, all web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the ACL. You can specify multiple ACLs for ActiveX blocking, but only the last one takes effect. You can specify a non-existing ACL, but ActiveX blocking based on the ACL takes effect only after you create and configure the ACL correctly.

  • Page 461: Firewall Http Java-blocking Acl

    Syntax firewall http activex-blocking suffix keywords undo firewall http activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of 5 ActiveX blocking suffix keywords.

  • Page 462: Firewall Http Java-blocking Enable

    You can specify multiple ACLs for Java blocking, but only the last one takes effect. You can specify a non-existing ACL, but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for Java blocking as ACL 2002.

  • Page 463: Firewall Http Url-filter Host Acl

    Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of five Java blocking suffix keywords.

  • Page 464: Firewall Http Url-filter Host Default

    Examples # Specify URL address filtering to permit web requests with website IP addresses permitted by ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.0 [Sysname-acl-basic-2000] quit [Sysname] firewall http url-filter host acl 2000 Related commands display firewall http url-filter host firewall http url-filter host default...

  • Page 465: Firewall Http Url-filter Host Ip-address

    Default The URL address filtering function is disabled. Views System view Default command level 2: System level Examples # Enable the URL address filtering function. <Sysname> system-view [Sysname] firewall http url-filter host enable Related commands display firewall http url-filter host firewall http url-filter host ip-address Use firewall http url-filter host ip-address to enable/disable support for IP address in URL address filtering, that is, to permit or deny web requests using IP addresses for access to websites.

  • Page 466: Firewall Http Url-filter Host Url-address

    firewall http url-filter host url-address Use firewall http url-filter host url-address to add a URL address filtering entry and set the filtering action. Use undo firewall http url-filter host url-address to remove one or all URL address filtering entries. Syntax firewall http url-filter host url-address { deny | permit } url-address undo firewall http url-filter host url-address [ url-address ] Views...

  • Page 467: Firewall Http Url-filter Parameter

    A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can • define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. HP recommends that you use exact match to filter numeral website addresses.

  • Page 468: Firewall Http Url-filter Parameter Enable

    Wildcard Meaning Usage guidelines Matches parameters ending with It can be present once at the end of the keyword a filtering entry. It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an &...

  • Page 469: Reset Firewall Http

    Views System view Default command level 2: System level Examples # Enable the URL parameter filtering function. <Sysname> system-view [Sysname] firewall http url-filter parameter enable Related commands display firewall http url-filter parameter reset firewall http Use reset firewall http to clear web filtering statistics. Syntax reset firewall http { activex-blocking | java-blocking | url-filter host | url-filter parameter } counter Views...

  • Page 470: Attack Detection And Protection Configuration Commands

    Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.

  • Page 471: Attack-defense Policy

    Syntax attack-defense logging enable undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default command level 2: System level Examples # Enable attack protection logging. <Sysname> system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to remove an attack protection policy.

  • Page 472: Blacklist Enable

    Related commands display attack-defense policy blacklist enable Use blacklist enable to enable the blacklist function. Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to...

  • Page 473: Defense Icmp-flood Action Drop-packet

    Default command level 2: System level Parameters source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time, and the value range is 1 to 1000, in minutes.

  • Page 474: Defense Icmp-flood Enable

    Related commands defense icmp-flood enable • defense icmp-flood ip • • defense icmp-flood rate-threshold display attack-defense policy • defense icmp-flood enable Use defense icmp-flood enable to enable ICMP flood attack protection. Use undo defense icmp-flood enable to restore the default. Syntax defense icmp-flood enable undo defense icmp-flood enable...

  • Page 475: Defense Icmp-flood Rate-threshold

    Default No ICMP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.

  • Page 476: Defense Scan Add-to-blacklist

    Syntax defense icmp-flood rate-threshold high rate-number [ low rate-number ] undo defense icmp-flood rate-threshold Default The global action threshold is 1000 packet per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for ICMP flood attack protection.

  • Page 477

    Syntax defense scan add-to-blacklist undo defense scan add-to-blacklist Default The blacklist function for scanning attack protection is not enabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold.

  • Page 478: Defense Scan Blacklist-timeout

    defense scan max-rate • defense scan blacklist-timeout Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack protection. Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes. Syntax defense scan blacklist-timeout minutes undo defense scan blacklist-timeout Views Attack protection policy view...

  • Page 479: Defense Scan Max-rate

    Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold.

  • Page 480: Defense Syn-flood Action

    [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan enable # Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second. [Sysname-attack-defense-policy-1] defense scan max-rate 2000 Related commands blacklist enable • • defense scan add-to-blacklist defense scan blacklist-timeout •...

  • Page 481: Defense Syn-flood Enable

    defense syn-flood enable Use defense syn-flood enable to enable SYN flood attack protection. Use undo defense syn-flood enable to restore the default. Syntax defense syn-flood enable undo defense syn-flood enable Default SYN flood attack protection is disabled. Views Attack protection policy view Default command level 2: System level Examples...

  • Page 482: Defense Syn-flood Rate-threshold

    high rate-number: Sets the action threshold for SYN flood attack protection of the specified IP address. The rate-number argument indicates the number of SYN packets sent to the specified IP address per second and is in the range of 1 to 64000. With SYN flood attack protection enabled, the device enters attack detection state.

  • Page 483: Defense Udp-flood Action Drop-packet

    Parameters high rate-number: Sets the global action threshold for SYN flood attack protection. The rate-number argument indicates the number of SYN packets sent to an IP address per second and is in the range of 1 to 64000. With the SYN flood attack protection enabled, the device enters attack detection state. When the device detects that the sending rate of SYN packets destined for an IP address constantly reaches or exceeds the specified action threshold, the device considers the IP address to be under attack, enters attack protection state, and takes protection actions as configured.

  • Page 484: Defense Udp-flood Enable

    Examples # Configure attack protection policy 1 to drop UDP flood packets. <Sysname> system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood action drop-packet Related commands defense udp-flood enable • defense udp-flood ip • defense udp-flood rate-threshold • • display attack-defense policy defense udp-flood enable Use defense udp-flood enable to enable UDP flood attack protection.

  • Page 485

    Syntax defense udp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense udp-flood ip ip-address [ rate-threshold ] Default No UDP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected.

  • Page 486: Defense Udp-flood Rate-threshold

    defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not configure attack protection parameters specifically. Use undo defense udp-flood rate-threshold to restore the default.

  • Page 487: Display Attack-defense Policy

    defense udp-flood enable • • display attack-defense policy display attack-defense policy Use display attack-defense policy to display configuration information about one or all attack protection policies. Syntax display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...

  • Page 488

    Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet -------------------------------------------------------------------------- ICMP flood attack-defense : Enabled ICMP flood action : Syslog ICMP flood high-rate : 2000 packets/s ICMP flood low-rate : 750 packets/s ICMP flood attack-defense for specific IP addresses: High-rate(packets/s) Low-rate(packets/s)

  • Page 489

    Filed Description WinNuke attack-defense Indicates whether WinNuke attack protection is enabled. LAND attack-defense Indicates whether Land attack protection is enabled. Source route attack-defense Indicates whether Source Route attack protection is enabled. Route record attack-defense Indicates whether Route Record attack protection is enabled. Scan attack-defense Indicates whether scanning attack protection is enabled.

  • Page 490: Display Attack-defense Statistics Interface

    None GigabitEthernet3/0/2 Related commands attack-defense policy display attack-defense statistics interface Use display attack-defense statistics interface to display the attack protection statistics of an interface. Syntax display attack-defense statistics interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Views Any view...

  • Page 491

    Route record packets dropped : 100 Source route attacks Source route packets dropped : 100 Smurf attacks Smurf packets dropped : 100 TCP flag attacks TCP flag packets dropped : 100 Tracert attacks Tracert packets dropped : 100 WinNuke attacks WinNuke packets dropped : 100 Scan attacks...

  • Page 492: Display Blacklist

    Field Description Tracert attacks Number of detected Tracert attacks. Tracert packets dropped Number of Tracert packets dropped. WinNuke attacks Number of detected WinNuke attacks. WinNuke packets dropped Number of WinNuke packets dropped. Scan attacks Number of detected scanning attacks. Scan attack packets dropped Number of scanning attack packets dropped.

  • Page 493

    Option 6602 HSR6602 6604/6608/6616 slot slot-number |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.

  • Page 494: Display Flow-statistics Statistics

    Related commands blacklist enable • blacklist ip • display flow-statistics statistics Use display flow-statistics statistics to display traffic statistics on interfaces based on IP addresses. Syntax display flow-statistics statistics [ slot slot-number ] { destination-ip dest-ip-address | source-ip src-ip-address } [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...

  • Page 495: Display Flow-statistics Statistics Interface

    ----------------------------------------------------------- IP Address 192.168.1.2 ----------------------------------------------------------- Total number of existing sessions Session establishment rate 10/s TCP sessions Half-open TCP sessions Half-close TCP sessions TCP session establishment rate 10/s UDP sessions UDP session establishment rate 10/s ICMP sessions ICMP session establishment rate 10/s RAWIP sessions RAWIP session establishment rate...

  • Page 496

    Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. inbound: Displays traffic statistics in the inbound direction of an interface. outbound: Displays traffic statistics in the outbound direction of an interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

  • Page 497: Display Tcp-proxy Protected-ip

    Field Description UDP session establishment rate UDP connection establishment rate. ICMP sessions Number of ICMP connections. ICMP session establishment rate ICMP connection establishment rate. RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate. display tcp-proxy protected-ip Use display tcp-proxy protected-ip to display information about IP addresses protected by the TCP proxy function.

  • Page 498: Flow-statistics Enable

    Field Description Type of the protected IP address. Dynamic indicates that the entry was Type dynamically added by the device. Remaining lifetime of the entry. If the value of this field is 0, the entry is Lifetime(min) deleted. Number of packets matching this entry that have been dropped by the Rejected packets TCP proxy function.

  • Page 499: Reset Attack-defense Statistics Interface

    reset attack-defense statistics interface Use reset attack-defense statistics interface to clear the attack protection statistics of an interface. Syntax reset attack-defense statistics interface interface-type interface-number Views User view Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Clear the attack protection statistics of interface GigabitEthernet 3/0/1.

  • Page 500: Signature-detect Action Drop-packet

    route-record: Specifies the route record packet attack. smurf: Specifies the Smurf packet attack. source-route: Specifies the source route packet attack. tcp-flag: Specifies the TCP flag packet attack. tracert: Specifies the Tracert packet attack. winnuke: Specifies the Winnuke packet attack. Examples # Enable signature detection of Fraggle attack in attack protection policy 1.

  • Page 501: Tcp-proxy Enable

    Syntax signature-detect large-icmp max-length length undo signature-detect large-icmp max-length Default An ICMP packet length of 4000 bytes triggers large ICMP attack protection. Views Attack protection policy view Default command level 2: System level Parameters length: Maximum length of an ICMP packet, in the range of 28 to 65534 bytes. Usage guidelines With signature detection of large ICMP attack enabled, a device considers all ICMP packets longer than the specified maximum length as large ICMP attack packets.

  • Page 502: Tcp-proxy Mode

    Default command level 2: System level Usage guidelines Usually, the TCP proxy function is used on a device's interfaces connected to external networks to protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection actions configured by using the defense syn-flood action command.

  • Page 503

    Related commands tcp-proxy enable • display tcp-proxy protected-ip •...

  • Page 504: Tcp Attack Protection Configuration Commands

    TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters...

  • Page 505: Tcp State

    Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled.

  • Page 506: Tcp Syn-cookie Enable

    last-ack: LAST_ACK state of a TCP connection. syn-received: SYN_RECEIVED state of a TCP connection. connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Usage guidelines You need to enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted.

  • Page 507

    Use undo tcp timer check-state to restore the default. Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.

  • Page 508: Ip Source Guard Configuration Commands

    IP source guard configuration commands IP source guard configuration commands are available only for SAP interface modules operating in Layer 2 mode. display ip source binding Use display ip source binding to display IPv4 source guard entries. Syntax display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view...

  • Page 509: Ip Source Binding

    <Sysname> display ip source binding Total entries found: 5 MAC Address IP Address VLAN Interface Type 040a-0000-4000 10.1.0.9 GE3/0/1 Static 040a-0000-3000 10.1.0.8 GE3/0/1 DHCP-SNP 040a-0000-2000 10.1.0.7 GE3/0/1 DHCP-SNP 040a-0000-1000 10.1.0.6 GE3/0/2 DHCP-RLY 040a-0000-0000 GE3/0/2 DHCP-RLY # Display all static IPv4 source guard entries. <Sysname>...

  • Page 510: Ip Verify Source

    Default No static IPv4 binding entry exists on a port. Views Layer 2 Ethernet interface view Default command level 2: System level Parameters ip-address ip-address: Specifies the IPv4 address for the static binding entry. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address. mac-address mac-address: Specifies the MAC address for the static binding in the format H-H-H.

  • Page 511: Ip Verify Source Max-entries

    Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port. Usage guidelines After you enable the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries or the DHCP-relay entries, and all static IPv4 source guard entries on the port become effective.

  • Page 512

    Parameters number: Maximum number of IPv4 source guard entries allowed on a port, in the range of 0 to 256. Usage guidelines If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected.

  • Page 513: Arp Attack Protection Configuration Commands

    ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP black hole routing is disabled.

  • Page 514: Arp Source-suppression Limit

    Examples # Enable the ARP source suppression function. <Sysname> system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.

  • Page 515: Arp Packet Rate Limit Configuration Commands

    Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.

  • Page 516: Arp Packet Source Mac Consistency Check Configuration Commands

    Parameters disable: Disables ARP packet rate limit. rate pps: ARP packet rate in pps, in the range of 5 to 8192. drop: Discards the exceeded packets. slot slot-number: Specifies the slot number of the card. The following matrix shows the option and router compatibility: Option 6602 HSR6602...

  • Page 517: Arp Active Acknowledgement Configuration Commands

    [Sysname] arp anti-attack valid-check enable ARP active acknowledgement configuration commands arp anti-attack active-ack enable Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function. Use undo arp anti-attack active-ack enable to restore the default. Syntax arp anti-attack active-ack enable undo arp anti-attack active-ack enable Default The ARP active acknowledgement function is disabled.

  • Page 518: Arp Detection Configuration Commands

    Default Authorized ARP is not enabled on the interface. Views Layer 3 Ethernet interface view Default command level 2: System level Examples # Enable authorized ARP on GigabitEthernet 3/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp authorized enable ARP detection configuration commands NOTE: The commands of this feature are supported only when SAP modules operate in bridge mode.

  • Page 519: Arp Detection Enable

    ip-address: Matches a sender IP address. • • ip-address-mask: Specifies the mask for the sender IP address in dotted decimal format. If no mask is specified, the ip-address argument specifies a host IP address. mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address range. any: Matches any sender MAC address.

  • Page 520: Arp Detection Trust

    arp detection trust Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default The port is an ARP untrusted port. Views Layer 2 Ethernet interface view Default command level...

  • Page 521: Arp Restricted-forwarding Enable

    ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests are checked.

  • Page 522: Display Arp Detection Statistics

    Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 523: Reset Arp Detection Statistics

    GE3/0/1(U) GE3/0/2(U) GE3/0/3(T) GE3/0/4(U) Table 84 Command output Field Description Interface(State) State T or U identifies a trusted or untrusted port. Number of ARP packets discarded due to invalid source and destination IP addresses. Number of ARP packets discarded due to invalid source MAC Src-MAC address.

  • Page 524: Arp Scan

    Syntax arp fixup Views System view Default command level 2: System level Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports.

  • Page 525: Arp Gateway Protection Configuration Commands

    range contains multiple network segments, the sender IP address in the ARP request is the interface address on the smallest network segment. If no address range is specified, the device only scans the network where the primary IP address of the interface resides for neighbors.

  • Page 526: Arp Filtering Configuration Commands

    Parameters ip-address: IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on a port. You cannot configure both arp filter source and arp filter binding commands on a port. Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

  • Page 527

    <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp filter binding 1.1.1.1 2-2-2...

  • Page 528: Nd Attack Defense Configuration Commands

    ND attack defense configuration commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.

  • Page 529: Urpf Configuration Commands

    URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled.

  • Page 530: Fips Configuration Commands

    FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled Related commands fips mode enable...

  • Page 531: Fips Self-test

    Enable FIPS mode. Enable the password control function. Configure the username and password to log in to the device in FIPS mode. The password must comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. Delete all MD5-based digital certificates.

  • Page 532

    Default command Level 3: Manage level Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms.

  • Page 533: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 534: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 535

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 536: Index

    Index A B C D E F G H I K L M N O P Q R S T U V W attribute,246 attribute 25 car,58 aaa nas-id profile,1 authentication default,10 access-limit,41 authentication dvpn,1 1 access-limit enable,1 authentication lan-access,12 access-user detect,156 authentication...

  • Page 537

    ciphersuite,388 display attack-defense statistics interface,477 client-verify enable,389 display blacklist,479 client-verify weaken,390 display connection,27 close-mode wait,391 display connection-limit policy,438 common-name,251 display domain,31 connection-limit apply policy,437 display dot1x,120 connection-limit policy,437 display fips status,517 connection-name,273 display firewall http activex-blocking,441 country,252 display firewall http java-blocking,442 check,252 display firewall http url-filter...

  • Page 538

    display port-security,190 dot1x re-authenticate,138 display port-security mac-address block,193 dot1x retry,139 display port-security mac-address security,195 dot1x supp-proxy-check,140 display public-key local public,234 dot1x timer,141 display public-key peer,235 dot1x timer ead-timeout,145 display radius scheme,59 dot1x unicast-trigger,142 display radius statistics,62 dot1x url,146 display session aging-time,419 dpd,334 display session...

  • Page 539

    group,50 key (HWTACACS scheme view),104 group-attribute allow-guest,51 key (RADIUS scheme view),70 handshake timeout,393 ldap-server,260 help,368 limit,439 hwtacacs nas-ip,103 local,343 hwtacacs scheme,104 local-address,344 locality,261 local-name,345 icmp-error drop,414 local-user,51 idle-cut enable,35 ls,368 id-type,336 dpd,337 local-name,338 mac-authentication,150 ike next-payload check disabled,339 mac-authentication domain,151 ike peer (system view),340 mac-authentication...

  • Page 540

    password-control login idle-time,225 port-security max-mac-count,202 password-control login-attempt,225 port-security ntk-mode,203 password-control password update interval,227 port-security oui,204 password-control super aging,227 port-security port-mode,205 password-control super composition,228 port-security timer autolearn aging,207 password-control super length,229 port-security timer disableport,207 peer,346 port-security trap,208 peer-public-key end,237 prefer-cipher,395 pfs,305 pre-shared-key,347 pki certificate access-control-policy,263...

  • Page 541

    reset firewall-statistics,408 self-service-url enable,39 reset hwtacacs statistics,109 server-type,90 reset ike sa,350 server-verify enable,396 reset ipsec sa,307 service-type,54 reset ipsec statistics,308 session,397 reset mac-authentication statistics,155 session aging-time,429 reset password-control blacklist,230 session checksum,430 reset password-control history-record,230 session early-ageout,431 reset portal connection statistics,188 session log bytes-active,432 reset portal server...

  • Page 542

    stop-accounting-buffer enable (HWTACACS scheme timer response-timeout (RADIUS scheme view),95 view),1 15 transform,321 stop-accounting-buffer enable (RADIUS scheme transform-set,321 view),92 tunnel local,322 Subscription service,520 tunnel remote,323 tcp anti-naptha enable,491 user-group,55 state,492 user-name-format (HWTACACS scheme view),1 18 syn-check,415 user-name-format (RADIUS scheme view),96 tcp syn-cookie enable,493 user-profile,21 1 tcp timer...

This manual also for:

Hp 6600

Comments to this Manuals

Symbols: 0
Latest comments: