AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name...
Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of online users helps provide reliable system performance.
accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default. Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default Default The default accounting method of an ISP domain is local.
Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn Default The default accounting method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting.
Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured.
real-time accounting updates for the user. The accounting optional feature applies to scenarios where accounting is not important. After you configure the accounting optional command, the setting configured by the access-limit command in local user view has no effect. Examples # Enable the accounting optional feature for users in domain test.
• radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users. Use undo accounting ppp to restore the default. Syntax accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting ppp Default The default accounting method for the ISP domain is used for PPP users.
authentication default Use authentication default to configure the default authentication method for an ISP domain. Use undo authentication default to restore the default. Syntax authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication default Default The default authentication method of an ISP domain is local.
undo authentication dvpn Default The default authentication method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Default command level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode. The specified RADIUS scheme must have been configured.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local authentication for portal users. <Sysname>...
Examples # Configure ISP domain test to use local authentication for PPP users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication ppp local # Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup. <Sysname>...
[Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac Related commands • hwtacacs scheme • radius scheme • super authentication-mode (Fundamentals Command Reference) authorization command Use authorization command to configure the command line authorization method. Use undo authorization command to restore the default. Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }...
• authorization default • hwtacacs scheme authorization default Use authorization default to configure the default authorization method for an ISP domain. Use undo authorization default to restore the default. Syntax authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization default Default...
authorization dvpn Use authorization dvpn to configure the authorization method for DVPN users. Use undo authorization dvpn to restore the default. Syntax authorization dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization dvpn Default The default authorization method for the ISP domain is used for DVPN users. Views ISP domain view Default command level...
Syntax authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access Default The default authorization method for the ISP domain is used for LAN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization.
undo authorization login Default The default authorization method for the ISP domain is used for login users. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization.
Default The default authorization method for the ISP domain is used for portal users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly.
Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access the network directly.
Views ISP domain view Default command level 3: Manage level Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Usage guidelines After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.
domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces are supported.
Page 38
If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the device uses the mandatory authentication domain to perform authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain.
IP=10.0.0.1 IPv6=N/A Access=Admin ,AuthMethod=PAP Port Type=Virtual ,Port Name=N/A Initial VLAN=999, Authorization VLAN=20 ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable SessionTimeout=60(s), Terminate-Action=Radius-Request Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Chassis 1 slot: Total 0 connection matched. Chassis 1 slot: Total 0 connection matched. Table 1 Command output Field Description...
Page 40
Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression.
Page 41
Self-service : Disabled Authorization attributes : User-profile : profile1 Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Description Domain ISP domain name. Status of the ISP domain: active or blocked. Users in an active State ISP domain can request network services, and users in a blocked ISP domain cannot.
• state domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name Default There is a system predefined ISP domain named system in the system. Views System view Default command level...
Default The default ISP domain is the system predefined ISP domain system. Views System view Default command level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Usage guidelines There can be only one default ISP domain. The specified domain must already exist.
Usage guidelines The device chooses an authentication domain for each user in the following order: • The authentication domain specified for the access module • The ISP domain in the username • The default ISP domain of the device • The ISP domain specified for users with unknown domain names If all the domains are unavailable, user authentication fails.
Examples # Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] idle-cut enable 50 1024 Related commands domain ip pool Use ip pool to configure an address pool for assigning addresses to PPP users.
Related commands • ip pool (Layer 2—WAN Command Reference) • remote address (Layer 2—WAN Command Reference) nas-id bind vlan Use nas-id bind vlan to bind a NAS ID with a VLAN. Use undo nas-id bind vlan to remove a NAS ID-VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id...
Default The self-service server location function is disabled. Views ISP domain view Default command level 2: System level Parameters url-string: URL of the self-service server, a string of 1 to 64 characters that starts with http:// and contains no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation.
[Sysname] domain test [Sysname-isp-test] session-time include-idle-time Related commands idle-cut enable state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. Syntax state { active | block } undo state Default An ISP domain is in active state.
Default There is no limit to the number of users who concurrently use the same local user account. Views Local user view Default command level 3: Manage level Parameters max-user-number: Maximum number of concurrent users of the same local user account, ranging from 1 to 1024.
Page 50
callback-number callback-number: Specifies the authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out.
[Sysname] local-user abc [Sysname-luser-abc] authorization-attribute vlan 2 # Configure the authorized VLAN of user group abc as VLAN 3. <Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute vlan 3 bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *...
[Sysname] local-user abc [Sysname-luser-abc] bind-attribute ip 3.3.3.3 display local-user Use display local-user to display configuration and statistics information about local users. Syntax In standalone mode: display local-user [ idle-cut { disable | enable } | service-type { dvpn | ftp | lan-access | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] In IRF mode:...
Page 53
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameter, the command displays information about all local users. If you do not specify a card, the command displays information about local users on all cards.
Page 54
Vlan ID: Authorization attributes: Idle TimeOut: 10(min) Work Directory: cfa0:/ User Privilege: Acl ID: 2000 Vlan ID: User Profile: prof1 Expiration date: 12:12:12-2018/09/16 Password aging: Enabled (30 days) Password length: Enabled (4 characters) Password composition: Enabled (4 types, 2 characters per type) Total 1 local user(s) matched.
display user-group Use display user-group to display the configuration of user groups. Syntax display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters group-name: Specifies a user group name, a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression.
Field Description VLAN ID Authorized VLAN for the local users in the group. User-Profile User profile for local user authorization. Callback-number Authorized PPP callback number for the local users in the group. Password aging Password aging time for the local users in the group. Password length Minimum password length for the local users in the group.
Related commands validity-date group Use group to assign a local user to a user group. Use undo group to restore the default. Syntax group group-name undo group Default A local user belongs to the system default user group system. Views Local user view Default command level 3: Manage level...
Examples # Set the guest attribute for user group test. <Sysname> system-view [Sysname] user-group test [Sysname-ugroup-test] group-attribute allow-guest local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove the specified local users. Syntax local-user user-name undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ppp | ssh | telnet |...
• service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax password [ [ hash ] { cipher | simple } password ] undo password Views Local user view Default command level 2: System level...
# Set the password to 123456 in plain text for local user user1, and enable hash-based encryption for the password. <Sysname> system-view [Sysname] local-user user1 [Sysname-luser-user1] password hash simple 123456 Related commands display local-user service-type Use service-type to specify the service types that a user can use. Use undo service-type to delete one or all service types configured for a user.
state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Default command level 2: System level Parameters...
Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
attribute 25 car Use attribute 25 car to specify the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters. Use undo attribute 25 car to restore the default. Syntax attribute 25 car undo attribute 25 car Default RADIUS attribute 25 is not interpreted as CAR parameters.
Usage guidelines The unit for data flows and that for packets must be consistent with those on the RADIUS server. Otherwise, accounting cannot be performed correctly. Examples # Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively, in RADIUS scheme radius1.
Page 66
Examples # Display the configuration of all RADIUS schemes. <Sysname> display radius scheme ------------------------------------------------------------------ SchemeName : radius1 Index : 0 Type : extended Primary Auth Server: IP: 1.1.1.1 Port: 1812 State: active Encryption Key : ****** VPN instance Probe username : N/A Probe interval : N/A Primary Acct Server: IP: 1.1.1.1...
Page 67
Table 5 Command output Field Description SchemeName Name of the RADIUS scheme. Index Index number of the RADIUS scheme. Type of the RADIUS server supported on the router: • Extended—The RADIUS server uses the proprietary RADIUS protocol of Hewlett Packard Enterprise for packet exchange. Type •...
Field Description Username format Format of the usernames to be sent to the RADIUS server. Data flow unit Unit for data flows sent to the RADIUS server. Packet unit Unit for packets sent to the RADIUS server. NAS-IP address Source IP address for RADIUS packets to be sent. Attribute 25 Interprets RADIUS attribute 25 as the CAR parameters.
Page 69
Received and Sent packets statistic: Sent PKT total = 1547 Received PKT total = 23 Resend Times Resend total Total 1016 RADIUS received packets statistic: Code = Num = 15 Err = 0 Code = Num = 4 Err = 0 Code = Num = 4 Err = 0...
Page 70
Table 6 Command output Field Description slot Number of the slot in which the card resides. state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started.
Field Description Set policy result Number of responses to the Set policy packets. Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests. RADIUS sent messages statistic Statistics for sent RADIUS messages.
Page 72
Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting simple ok # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok # For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one. The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes.
Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server. The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command.
Page 77
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address. port-number: Specifies the service port number of the primary RADIUS authentication/authorization server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812. key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS authentication/authorization server.
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To ensure that the device can set the server to its actual status, set a longer quiet timer for the primary server with the timer quiet command.
• If local authentication, authorization, or accounting is configured as the backup, the device performs local authentication, authorization, or accounting instead after the RADIUS request fails. Local accounting is only for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. <Sysname> system-view [Sysname] radius nas-ip 129.10.10.1 Related commands nas-ip radius scheme Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view. Use undo radius scheme to delete a RADIUS scheme.
undo radius trap accounting-server-down authentication-error-threshold authentication-server-down } Default The trap function is disabled for RADIUS. Views System view Default command level 2: System level Parameters accounting-server-down: Sends traps when the reachability of the accounting server changes. authentication-error-threshold: Sends traps when the number of authentication failures exceed the specified threshold.
Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the slot number of the card. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device, and the slot-number argument represents the slot number of the card.
Examples # Clear the stop-accounting requests buffered for user user0001@test. <Sysname> reset stop-accounting-buffer user-name user0001@test # Clear the stop-accounting requests buffered in the time range from 0:0:0 to 23:59:59 on August 31, 2006. <Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006 Related commands •...
retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Default command level 2: System level Parameters...
retry stop-accounting (RADIUS scheme view) Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts. Use undo retry stop-accounting to restore the default. Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 500. Views RADIUS scheme view Default command level...
If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on. If you remove an accounting server being used by online users, the device can no longer send real-time accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting requests.
Page 88
port-number: Specifies service port number secondary RADIUS authentication/authorization server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812. key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary RADIUS authentication/authorization server.
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To make sure the device can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command.
Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme.
state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Default command level...
Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.
Views RADIUS scheme view Default command level 2: System level Usage guidelines A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request that receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit.
If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible. Be sure to set the server quiet timer properly.
Number of users Real-time accounting interval (in minutes) 500 to 999 1000 or more 15 or longer Examples # Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views RADIUS scheme view Default command level 2: System level...
Default command level 2: System level Parameters vpn-instance-name: Name of the MPLS VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN instance specified here applies to all IPv4 servers in the RADIUS scheme for which no specific VPN instance is specified.
Examples # Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively, in HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet Related commands display hwtacacs display hwtacacs Use display hwtacacs to display the configuration of HWTACACS schemes or the statistics for the HWTACACS servers specified in HWTACACS schemes.
Page 100
Field Description IP address and port number of the currently used authentication Current-authentication-server server. IP address and port number of the currently used authorization Current-authorization-server server. Current-accounting-server IP address and port number of the currently used accounting server. VPN instance MPLS L3VPN to which the server belongs.
Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. slot slot-number: Specifies a card by its slot number. The slot-number argument represents the slot number of the card.
Views System view Default command level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs.
Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed. Examples # Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view.
Examples # Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting simple hello # Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.
The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence. Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1.
Examples # Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49. <Sysname> system-view [Sysname] hwtacacs scheme test1 [Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authentication (HWTACACS scheme view) Use primary authentication to specify the primary HWTACACS authentication server.
Examples # Specify the IP address and port number of the primary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server.
Examples # Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) reset hwtacacs statistics Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax In standalone mode: reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] In IRF mode: reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name chassis chassis-number slot slot-number ] Views User view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme.
Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 1 to 300. Examples # Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] retry stop-accounting 50 Related commands •...
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10.163.155.12 with TCP port number 49. <Sysname>...
Examples # Specify the IP address and port number of the secondary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 with TCP port number 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 Related commands • display hwtacacs •...
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function.
Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes. Usage guidelines When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires.
Table 9 Recommended real-time accounting intervals Number of users Real-time accounting interval (in minutes) 1 to 99 100 to 499 500 to 999 1000 or more 15 or more Examples # Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1. <Sysname>...
Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views HWTACACS scheme view Default command level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
Page 118
Parameters vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified. Examples # Specify VPN instance test for HWTACACS scheme hwt1. <Sysname>...
802.1X commands 802.1X commands are supported only on a SAP module that is operating in bridge mode. display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 120
Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet3/0/1 is link-up 802.1X protocol is enabled...
Page 121
Field Description Whether the device sends a trap when detecting that a user Proxy trap checker is disabled is accessing the network through a proxy. Whether the device logs off the user when detecting that the Proxy logoff checker is disabled user is accessing the network through a proxy.
Field Description 802.1X guest VLAN configured on the port. NOT Guest VLAN configured is displayed if no guest VLAN is configured. Auth-Fail VLAN configured on the port. NOT configured is Auth-fail VLAN displayed if no Auth-Fail VLAN is configured. 802.1X critical VLAN configured on the port. NOT Critical VLAN configured is displayed if no 802.1X critical VLAN is configured on the port.
Page 123
dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level 2: System level Parameters interface interface-list: Specifies a port list, which can contain multiple ports.
[Sysname] interface gigabitethernet 3/0/7 [Sysname-GigabitEthernet3/0/7] dot1x # Enable 802.1X globally. <Sysname> system-view [Sysname] dot1x Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The network access device performs EAP termination and uses CHAP to communicate with the...
EAP authentication method as the client. If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS configuration commands." Local authentication supports PAP and CHAP. If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
You can configure both an Auth-Fail VLAN and a guest VLAN for a port. Examples # Configure VLAN 3 as the Auth-Fail VLAN for port GigabitEthernet 3/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x auth-fail vlan 3 Related commands •...
dot1x critical recovery-action Use dot1x critical recovery-action to configure the action that a port takes when an active (reachable) RADIUS authentication server is detected for users in the 802.1X critical VLAN. Use undo dot1x critical recovery-action to restore the default. Syntax dot1x critical recovery-action reinitialize undo dot1x critical recovery-action...
Default The access device supports only the at sign (@) delimiter for 802.1X users. Views System view Default command level 2: System level Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters.
Parameters guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN. The value range is 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide. interface interface-list: Specifies a port list.
Syntax dot1x handshake undo dot1x handshake Default The function is enabled. Views Ethernet Interface view Default command level 2: System level Usage guidelines The 802.1X proxy detection function depends on the online user handshake function. Enable handshake before enabling proxy detection and disable proxy detection before disabling handshake. Hewlett Packard Enterprise recommends that you use the iNode client software to ensure the normal operation of the online user handshake function.
Total 1 connection(s) matched. Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default. Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number...
[Sysname-GigabitEthernet3/0/1] dot1x max-user 32 # Configure GigabitEthernet 3/0/2 through GigabitEthernet 3/0/5 each to support a maximum of 32 concurrent 802.1X users. <Sysname> system-view [Sysname] dot1x max-user 32 interface gigabitethernet 3/0/2 to gigabitethernet 3/0/5 Related commands display dot1x dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication.
dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control Default The default port authorization state is auto. Views System view, Ethernet interface view Default command level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication.
dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use undo dot1x quiet-period to disable the timer. Syntax dot1x quiet-period undo dot1x quiet-period...
Examples # Enable the 802.1X periodic online user re-authentication function on GigabitEthernet 3/0/1 and set the periodic re-authentication interval to 1800 seconds. <Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x re-authenticate Related commands dot1x timer reauth-period dot1x retry Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.
dot1x supp-proxy-check Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on the specified ports or all ports. Use undo dot1x supp-proxy-check to disable the function on the specified ports or all ports. Syntax In system view: dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] In Ethernet interface view:...
• Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client. • Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command.
EAD fast deployment commands EAD fast deployment commands are supported only on a SAP module that is operating in bridge mode. dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses.
Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440. Usage guidelines EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network.
Page 144
If you configure the dot1x url command multiple times, the last configured URL takes effect. Examples # Configure the redirect URL as http://192.168.0.1. <Sysname> system-view [Sysname] dot1x url http://192.168.0.1 Related commands • display dot1x • dot1x free-ip...
MAC authentication configuration commands MAC authentication commands are available only for SAP modules that are operating in bridge mode. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics. Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]...
Page 146
The max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet3/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 1024 Current online user number is 0...
Field Description MAC authentication statistics, including the number of successful and Authenticate success: 0, failed: 0 unsuccessful authentication attempts. Maximum number of concurrent online users allowed on the port. Max number of on-line users If MAC authentication is not enabled on the port, the field displays 0. Current online user number Number of online users on the port.
and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port. Usage guidelines To use MAC authentication on a port, you must enable the function both globally and on the port. Examples # Enable MAC authentication globally.
Examples # Specify the domain1 domain as the global authentication domain for MAC authentication users. <Sysname> system-view [Sysname] mac-authentication domain domain1 # Specify the aabbcc domain as the authentication domain for MAC authentication users on port GigabitEthernet 3/0/1. [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] mac-authentication domain aabbcc Related commands display mac-authentication...
Default The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds. Views System view Default command level 2: System level Parameters offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle.
Page 151
Parameters fixed: Uses a shared account for all MAC authentication users. account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies. password: Specifies the password for the shared user account: cipher: Sets a ciphertext password.
reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax reset mac-authentication statistics [ interface interface-list ] Views User view Default command level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>...
Portal configuration commands Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type { arp | icmp } retransmit number interval interval [ idle-time idletime ] undo access-user detect...
[Sysname-GigabitEthernet3/0/1] access-user detect type arp retransmit 3 interval 10 display portal acl Use display portal acl to display the ACLs on a specific interface. Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 155
Port : 40000 Rule 1 Inbound interface : GigabitEthernet3/0/1 Type : static Action : permit Protocol Source: : 0.0.0.0 Mask : 0.0.0.0 Port : 23 : 0000-0000-0000 Interface : any VLAN Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : any Rule 2 Inbound interface : GigabitEthernet3/0/1 Type...
Mask : 0.0.0.0 Author ACL: Number : 3001 Table 12 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound. Type Type of the portal ACL.
Page 157
interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 158
MSG_CUT_L3IF MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 13 Command output Field Description User state statistics Statistics on portal users. State-Name Name of a user state. User-Num Number of users in a specific state. Message statistics Statistics on messages. Msg-Name Message type.
Field Description Users-removed message, indicating the users on a Layer 3 interface MSG_CUT_L3IF were removed because they were logged out. MSG_IP_REMOVE User-with-an-IP-removed message. MSG_ALL_REMOVE All-users-removed message. MSG_IFIPADDR_CHANGE Interface IP address change message. MSG_SOCKET_CHANGE Socket change message. MSG_NOTIFY Notification message. MSG_SETPOLICY Set policy message for assigning security ACL.
Mask : 0.0.0.0 Port : any Protocol # Display information about portal-free rule 3. <Sysname> display portal free-rule 3 Rule-Number Source: : 222.222.222.222 Mask : 255.255.255.255 Port : 50000 ~ 51000 : 0000-0000-0000 Interface : any Vlan Destination: : 111.111.111.111 Mask : 255.255.255.255 Port...
Page 161
Views Any view Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
display portal server Use display portal server to display information about a specific portal server or all portal servers. Syntax display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters...
Field Description Type of the portal server. Possible values include: • Server Type CMCC—CMCC portal server. • IMC—IMC portal server. Current status of the portal server. Possible values include: • N/A—The server is not referenced on any interface, or the server detection function is not enabled.
Field Description Affirmation message the portal server sent to the access device after AFF_ACK_AUTH receiving an authentication acknowledgement message. Forced logout notification message the access device sent to the portal NTF_LOGOUT server. REQ_INFO Information request message. ACK_INFO Information acknowledgment message. User discovery notification message the portal server sent to the access NTF_USERDISCOVER device.
Page 166
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Field Description FIN_WAIT_1 Number of connections in FIN_WAIT_1 state. FIN_WAIT_2 Number of connections in FIN_WAIT_2 state. CLOSING Number of connections in CLOSING state. display portal user Use display portal user to display information about portal users on a specific interface or all interfaces.
Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 3.3.3.3 GigabitEthernet3/0/2 Total 2 user(s) matched, 2 listed. Table 19 Command output Field Description Index Index of the portal user. State Current status of the portal user. SubState Current sub-status of the portal user. Authorization ACL of the portal user. User's working mode: •...
mask-length: Length of the subnet mask, in the range of 0 to 32. mask: Subnet mask, in dotted decimal notation. all: Specifies all authentication source subnets. Usage guidelines This command is only applicable for cross-subnet authentication (layer3). The portal authentication source subnet for direct authentication (direct) can be any source IP address, and the portal authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users.
You can configure multiple authentication destination subnets by executing the portal auth-network destination command. The system supports up to 16 authentication source subnets and destination subnets. If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect.
Views System view Default command level 2: System level Parameters id-value: Device ID of the device, a case-sensitive string of 1 to 16 characters. This device ID value is carried in the redirection URL to be sent to the clients. Usage guidelines If the type of the portal server specified for Layer 3 portal authentication is CMCC, you must specify the device ID.
Related commands display portal interface portal free-rule Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both. Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules. Syntax portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | mask } | any } [ tcp tcp-port-number [ to tcp-port-number ] | udp udp-port-number [ to udp-port-number ] ] } |...
Regardless of whether portal authentication is enabled on an interface, you can only add or remove a portal-free rule. You cannot modify it. A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation group.
Use undo portal nas-id to restore the default. Syntax portal nas-id nas-identifier undo portal nas-id Default The device name specified through the sysname command is used as the NAS ID of a RADIUS request. For information about the sysname command, see Fundamentals Command Reference. Views Interface view, system view Default command level...
Usage guidelines If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile: •...
Syntax portal nas-port-id nas-port-id-value undo portal nas-port-id Default No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request. Views Interface view Default command level...
wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.
Page 178
undo portal server server-name [ key | port | server-type | url | vpn-instance ] Default No portal server is configured for Layer 3 portal authentication. Views System view Default command level 2: System level Parameters server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters. ip ip-address: Specifies the IP address of the portal server.
Examples # Configure portal server pts, setting the IP address to 192.168.0.111, the key to portal in plain text, and the redirection URL to http://192.168.0.113/portal. <Sysname> system-view [Sysname] portal server pts ip 192.168.0.111 key simple portal url http://192.168.0.113/portal Related commands •...
portal server server-detect Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes.
heartbeat packets or authentication packets (such as login requests and logout requests), it re-enables the portal authentication function. • trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS).
undo portal server server-name user-sync Default The portal user synchronization function is not configured. Views System view Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
Views User view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Clear portal connection statistics on interface GigabitEthernet 3/0/1. <Sysname> reset portal connection statistics interface gigabitethernet 3/0/1 reset portal server statistics Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces.
Port security configuration commands The port security commands are available only for SAP modules that are operating in bridge mode. display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views...
Page 185
Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet3/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0 Authorization is ignored GigabitEthernet3/0/2 is link-down Port mode is noRestriction...
Page 186
Field Description Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • Port mode secure. • userLogin. • userLoginSecure. • userLoginSecureExt. • macAddressOrUserLoginSecure. • macAddressOrUserLoginSecureExt. • userLoginWithOUI. Need to know (NTK) mode: • NeedToKnowOnly—Allows only unicast packets with authenticated destination MAC addresses.
• port-security max-mac-count • port-security mac-address security • port-security authorization ignore • port-security oui • port-security trap display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses. Syntax display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 188
--- On slot 2, no mac address found --- --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30. <Sysname> display port-security mac-address block vlan 30 MAC ADDR From Port VLAN ID...
Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses. Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command. Syntax display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]...
0002-0002-0002 Security GigabitEthernet3/0/1 NOAGED 000d-88f8-0577 Security GigabitEthernet3/0/1 NOAGED 2 mac address(es) found # Display information about secure MAC addresses on port GigabitEthernet 3/0/1. <Sysname> display port-security mac-address security interface gigabitethernet 3/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000d-88f8-0577 Security GigabitEthernet3/0/1...
Default command level 2: System level Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it can assign a VLAN. Examples # Configure port GigabitEthernet 3/0/1 to ignore the authorization information from the authentication server.
• dot1x port-control • mac-authentication port-security intrusion-mode Use port-security intrusion-mode to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port. Use undo port-security intrusion-mode to restore the default. Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode...
Syntax port-security mac-address aging-type inactivity undo port-security mac-address aging-type inactivity Default The inactivity aging function is disabled. Views Layer 2 Ethernet interface view Default command level 2: System level Usage guidelines If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address.
Usage guidelines After you execute this command, you cannot manually configure sticky MAC address, and secure MAC addresses automatically learned by a port in autoLearn mode are also dynamic. All dynamic MAC addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot.
Page 195
Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode. They can survive link down/up events, and once saved, can survive a device reboot. You can bind a MAC address to only one port in a VLAN. When a port is operating in autoLearn mode, you can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure.
port-security max-mac-count Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows on a port. Use undo port-security max-mac-count to restore the default setting. Syntax port-security max-mac-count count-value undo port-security max-mac-count Default Port security has no limit on the number of MAC addresses on a port. Views Ethernet interface view Default command level...
Default NTK is disabled on a port and all frames are allowed to be sent. Views Ethernet interface view Default command level 2: System level Parameters ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses. ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.
index-value: Specifies the OUI index in the range of 1 to 16. Usage guidelines An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from certain devices to pass authentication.
Page 199
Keyword Security mode Description This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. • mac-else-userlogin-s macAddressElseUse A port in this mode performs MAC authentication 30 ecure rLoginSecure seconds after receiving a non-802.1X frame. •...
When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes. Examples # Enable port security and set port GigabitEthernet 3/0/1 in secure mode. <Sysname>...
Use undo port-security timer disableport to restore the default. Syntax port-security timer disableport time-value undo port-security timer disableport Default The silence period is 20 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300.
Page 202
Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.
User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression.
Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist.
Page 205
# Enter the user profile view of a123. <Sysname> system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] Related commands user-profile enable...
Password control configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration information.
# Display the password control configuration for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 24 Command output Field Description Password control...
Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 209
Usage guidelines Valid characters for a local user password are from the following four types: • Uppercase letters A to Z. • Lowercase letters a to z. • Digits 0 to 9. • Special characters in Table Table 26 Special characters Character name Symbol Character name...
Related commands • password-control enable • display password-control password-control aging Use password-control aging to set the password aging time. Use undo password-control aging to restore the default. Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days globally. The password aging time of a user group equals the global setting.
• user-group password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default A user is notified of pending password expiration 7 days before the user's password expires.
Examples # Set the user authentication timeout time to 40 seconds. <Sysname> system-view [Sysname] password-control authentication-timeout 40 password-control complexity Use password-control complexity to configure the password complexity checking policy. Complexity-incompliant passwords will be refused. Use undo password-control complexity check to remove a password complexity checking item. Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check...
Page 214
characters (see "password"), and each type of characters in the password must contain at least one character. In FIPS mode, the global password composition policy is as follows: A password must contain four types of characters from uppercase letters, lowercase letters, digits and special characters, and each type contains at least one character.
password-control enable Use password-control enable to enable the password control feature globally. Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable Default The password control feature is disabled globally. Views System view Default command level 2: System level Usage guidelines...
times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10. 0 means that a user cannot log in after the password expires. Examples # Specify that a user can log in five times within 60 days after the password expires. <Sysname>...
Views System view, user group view, local user view Default command level 2: System level Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 8 to 32 in FIPS mode. Usage guidelines The setting in system view has global significance and applies to all user groups.
undo password-control login idle-time Default You cannot use a user account to log in to the device if the account has been idle for 90 days. Views System view Default command level 2: System level Parameters idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no restriction for account idle time.
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log in. Usage guidelines If prohibited permanently, a user can log in only after you remove the user from the password control blacklist.
undo password-control password update interval Default The minimum password update interval is 24 hours. Views System view Default command level 2: System level Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
Examples # Set the super passwords to expire after 10 days. <Sysname> system-view [Sysname] password-control super aging 10 Related commands password-control aging password-control super composition Use password-control super composition to configure the composition policy for super passwords. Use undo password-control super composition to restore the default. Syntax password-control super composition type-number type-number [ type-length type-length ] undo password-control super composition...
Use undo password-control super length to restore the default. Syntax password-control super length length undo password-control super length Default The minimum password length for super passwords is the same as the global minimum password length. Views System view Default command level 2: System level Parameters length: Specifies the minimum length for super passwords in characters.
<Sysname> reset password-control blacklist user-name test Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ user-name name | super [ level level ] ] Views User view Default command level...
RSH configuration commands Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters.
Public key configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.
===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2007/10/25 Key name: HOST_KEY Key type: DSA Encryption Key ===================================================== Key code: 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD96E5F061C4F...
Page 228
Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Specifies a peer public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
1024 10.1.1.1 Table 29 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits. Name Name of the public key. Related commands • public-key peer • public-key peer import sshkey peer-public-key end Use peer-public-key end to return from public key view to system view. Syntax peer-public-key end Views...
Usage guidelines If the peer device is an HPE device, input the key data displayed by the display public-key local public command so that the key is format compliant. Examples # Enter public key code view and input the key.
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] Related commands • public-key peer • public-key-code begin public-key local create Use public-key local create to create local asymmetric key pairs. The created local key pairs are automatically saved, and can survive a reboot. Syntax public-key local create { dsa | rsa } [ name key-name ] Default...
NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ # Create a local DSA key pair using the default name. <Sysname>...
Views System view Default command level 2: System level Parameters dsa: Specifies the DSA key pair. rsa: Specifies the RSA key pair. name key-name: Specifies a local key pair by its name. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys default key pair of the specified type.
aes-cbc-128: Specifies the 128-bit AES_CBC encryption algorithm. aes-cbc-192: Specifies the 192-bit AES_CBC encryption algorithm. aes-cbc-256: Specifies the 256-bit AES_CBC encryption algorithm. password: Specifies a password used to encrypt the RSA key pair. Usage guidelines You must specify an encryption algorithm and password to encrypt the specified RSA key pair. The router does not support displaying RSA key pairs in plaintext.
Page 235
Syntax public-key local export public dsa { openssh | ssh2 } [ filename ] Views System view Default command level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see Fundamentals Configuration Guide.
public-key local export public rsa Use public-key local export public rsa without the filename argument to display the host public key of the local RSA key pairs in a specific key format. Use public-key local export public rsa with the filename argument to export the host public key of the local RSA key pairs to a specific file.
public-key local import Use public-key local import to import an RSA key pair in PEM format. Syntax public-key local import rsa name key-name pem Views System view Default command level 2: System level Parameters rsa: Specifies an RSA key pair. name key-name: Specifies a name for the imported RSA key pair.
q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----- Please input the password:12345678 [Sysname] # If an RSA key pair with the same name already exists, specify whether to overwrite the existing key pair. Warning: The device already has a key pair with the same name. If you choose to continue, the existing key pair will be overwritten.
• public-key-code end • peer-public-key end • display public-key peer public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname...
PKI configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name.
Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. <Sysname> system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.
Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Specifies an entity name for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1. <Sysname>...
Default The polling is executed every 20 minutes for up to 50 times. Views PKI domain view Default command level 2: System level Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request. The value range is 1 to 100.
Examples # Specify the URL of the server for certificate request. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll common-name Use common-name to configure the common name of an entity, which can be, for example, the user name.
Default command level 2: System level Parameters country-code-str: Specifies a country code for the entity, a case-insensitive string of 2 characters. Examples # Set the country code of an entity to CN. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Use crl check to enable or disable CRL checking.
Default The CRL update period depends on the next update field in the CRL file. Views PKI domain view Default command level 2: System level Parameters hours: Specifies the CRL update period in hours, in the range of 1 to 720. Examples # Set the CRL update period to 20 hours.
display pki certificate Use display pki certificate to display the contents or request status of a certificate. Syntax display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Default command level 1: Monitor level Parameters policy-name: Specifies the name of a certificate attribute-based access control policy, a string of 1 to 16 characters. all: Specifies all certificate attribute-based access control policies. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about the certificate attribute group mygroup. <Sysname> display pki certificate attribute-group mygroup attribute group name: mygroup attribute 1 subject-name attribute...
Use undo fqdn to remove the configuration. Syntax fqdn name-str undo fqdn Default No FQDN is specified for an entity. Views PKI entity view Default command level 2: System level Parameters name-str: Specifies a fully qualified domain name (FQDN) for an entity, a case-insensitive string of 1 to 127 characters.
ip (PKI entity view) Use ip to configure the IP address of an entity. Use undo ip to remove the configuration. Syntax ip ip-address undo ip Default No IP address is specified for an entity. Views PKI entity view Default command level 2: System level Parameters ip-address: Specifies the IP address of an entity.
Examples # Specify an LDAP server for PKI domain 1. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] ldap-server ip 169.254.0.30 locality Use locality to configure the geographical locality of an entity, which can be, for example, a city name. Use undo locality to remove the configuration. Syntax locality locality-name undo locality...
Parameters org-name: Specifies an organization name for an entity, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Configure the name of the organization to which an entity belongs as test-lab. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization test-lab organization-unit Use organization-unit to specify the name of the organization unit to which this entity belongs.
Views System view Default command level 2: System level Parameters policy-name: Specifies a certificate attribute-based access control policy by its name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute-based access control policies. Examples # Configure an access control policy named mypolicy and enter its view.
Views System view Default command level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. Examples # Delete the local certificate for PKI domain cer.
Syntax pki entity entity-name undo pki entity entity-name Default No entity exists. Views System view Default command level 2: System level Parameters entity-name: Specifies a PKI entity name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for convenience of reference by other commands.
Usage guidelines In FIPS mode, MD5 certificates cannot be imported. Examples # Import the CA certificate for PKI domain cer in the format of PEM. <Sysname> system-view [Sysname] pki import-certificate ca domain cer pem Related commands pki domain pki request-certificate domain Use pki request-certificate domain to request a local certificate from a CA through SCEP.
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c -----END CERTIFICATE REQUEST----- Related commands pki domain pki retrieval-certificate Use pki retrieval-certificate to obtain a certificate from the server for certificate distribution. Syntax pki retrieval-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Obtains the CA certificate.
<Sysname> system-view [Sysname] pki retrieval-crl domain 1 Related commands pki domain pki validate-certificate Use pki validate-certificate to verify the validity of a certificate. Syntax pki validate-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Verifies the CA certificate.
Default command level 2: System level Parameters md5: Uses an MD5 fingerprint. sha1: Uses a SHA1 fingerprint. string: Specifies the fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal. Examples # Configure an MD5 fingerprint for verifying the validity of the CA root certificate.
Examples # Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in the certificate attribute group mygroup. <Sysname> system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup state Use state to specify the name of the state or province where an entity resides. Use undo state to remove the configuration.
IPsec configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters name: Specifies the IPsec connection name, a case-insensitive string of 1 to 32 characters. Example # Set IPsec connection name to CenterToA.
Page 267
Syntax display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all IPsec policies. name: Displays detailed information about a specific IPsec policy or IPsec policy group.
Page 268
Field Description Negotiation mode of the IPsec policy: • manual—Manual mode. • Mode isakmp—IKE negotiation mode. • template—IPsec policy template mode. • gdoi—GDOI mode. ACL referenced by the IPsec policy. Mapped Template Referenced IPsec policy template. Local Address IP address of the local end. Remote Address IP address of the remote end.
Field Description tunnel remote address Remote IP address of the tunnel. transform-set name Transform set referenced by the IPsec policy. policy enable Whether the IPsec policy is enabled or not. tfc enable Whether TFC padding is enabled. AH/ESP settings in the inbound/outbound direction, including the inbound/outbound AH/ESP setting SPI and keys.
Page 272
<Sysname> display ipsec policy-template brief Policy-template-Name Remote-Address ------------------------------------------------------ test-tplt300 2200 Table 37 Command output Field Description Name and sequence number of the IPsec policy template separated by Policy-template-Name hyphen. ACL referenced by the IPsec policy template. Remote Address Remote IP address. # Display detailed information about all IPsec policy templates.
Field Description IPsec sa local duration(time based) Time-based lifetime of the IPsec SAs at the local end. IPsec sa local duration(traffic Traffic-based lifetime of the IPsec SAs at the local end. based) Related commands ipsec policy-template display ipsec profile Use display ipsec profile to display the configuration information of IPsec profiles. Syntax display ipsec profile [ name profile-name ] [ | { begin | exclude | include } regular-expression ] Views...
Page 274
ike-peer name: peer1 PFS: N transform-set name: prop1 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: False =========================================== IPsec profile: "btoa" Using interface: Tunnel1 =========================================== ----------------------------- IPsec profile name: "btoa" mode: tunnel ----------------------------- encapsulation mode: tunnel...
Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | policy policy-name [ seq-number ] | remote [ ipv6 ] ip-address ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 276
Table 40 Command output Field Description Local IP address. For SAs generated through GDOI policies or SAs generated Src Address through policies that are applied to IPv6 routing protocols, "—" is displayed for this field. Remote IP address. For SAs generated through GDOI policies or SAs Dst Address generated through policies that are applied to IPv6 routing protocols, "—"...
Page 277
[outbound ESP SAs] spi: 0x2fc8fd45(801701189) transform: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 2 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Enabled anti-replay window size(counter based): 32 udp encapsulation used for nat traversal: N =============================== Protocol: OSPFv3 =============================== -----------------------------...
Page 278
PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 0.0.0.0 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP current outbound spi: 0x2FC8FD45(801701189) [inbound ESP SAs] spi: 0xD47B1AC1(3564837569) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 5 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686...
Page 279
Table 41 Command output Field Description Interface Interface referencing the IPsec policy. path MTU Maximum IP packet length supported by the interface. Protocol Name of the protocol to which the IPsec policy is applied. IPsec policy name Name of IPsec policy used. sequence number Sequence number of the IPsec policy.
Connection ID : 3 ------------------------------------------------ the security packet statistics: input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: not enough memory: 0 queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0...
Page 282
Syntax display ipsec transform-set [ transform-set-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters transform-set-name: Specifies the name of an IPsec transform set, a string of 1 to 32 characters. If you do not specify an IPsec transform set, the command displays information about all IPsec transform sets.
Field Description AH protocol Authentication algorithm used by AH. ESP protocol Authentication algorithm and encryption algorithm used by ESP. Related commands ipsec transform-set display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Parameters transport: Uses transport mode. tunnel: Uses tunnel mode. Usage guidelines IPsec for IPv6 routing protocols supports only the transport mode. When IPsec uses IKE to set up the IPsec tunnel, this command can be used only in IPsec transform set view.
Examples # Configure IPsec transform set prop1 to use ESP and specify SHA-1 as the authentication algorithm for ESP. <Sysname> system-view [Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] transform esp [Sysname-ipsec-transform-set-prop1] esp authentication-algorithm sha1 Related commands • ipsec transform-set • esp encryption-algorithm esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP.
[Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] transform esp [Sysname-ipsec-transform-set-prop1] esp encryption-algorithm 3des Related commands • display ipsec transform-set • esp authentication-algorithm ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view) Use ike-peer to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured through IKE negotiation.
undo ipsec anti-replay check Default IPsec anti-replay checking is enabled. Views System view Default command level 2: System level Examples # Enable IPsec anti-replay checking. <Sysname> system-view [Sysname] ipsec anti-replay check ipsec anti-replay window Use ipsec anti-replay window to set the size of the anti-replay window. Use undo ipsec anti-replay window to restore the default.
With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to protect certain data flows. For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers.
In a group encrypted transport VPN, you must configure IPsec GDOI policies on the group members. For more information about group encrypted transport VPN, see Security Configuration Guide. Examples # Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation.
Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1. <Sysname> system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 ipsec policy-template Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view.
Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists. Views System view Default command level 2: System level Parameters profile-name: Specifies the name for the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces.
To apply another IPsec profile to the tunnel interface, remove the original application first. An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface simultaneously. Examples # Apply IPsec profile vtiprofile to the IPsec tunnel interface. <Sysname>...
The SA lifetime applies to only IKE negotiated SAs. It is not effective on manually configured SAs. Examples # Set the time-based global SA lifetime to 7200 seconds (2 hours). <Sysname> system-view [Sysname] ipsec sa global-duration time-based 7200 # Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes). [Sysname] ipsec sa global-duration traffic-based 10240 Related commands •...
undo pfs Default The PFS feature is not used for negotiation. Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters dh-group1: Uses 768-bit Diffie-Hellman group. This keyword is not available in FIPS mode. dh-group2: Uses 1024-bit Diffie-Hellman group.
Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies. If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation. Examples # Enable the IPsec policy with the name policy1 and sequence number 100. <Sysname>...
# Clear all IPsec SAs of IPsec profile policy1. <Sysname> reset ipsec sa policy policy1 Related commands display ipsec sa reset ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics. Syntax reset ipsec statistics Views User view Default command level 1: Monitor level Examples # Clear IPsec packet statistics.
Page 301
Usage guidelines IPsec RRI operates in static mode or dynamic mode: • Static IPsec RRI creates one static route for each destination address permitted by the ACL that the IPsec policy references. Static IPsec RRI creates static routes immediately after you configure IPsec RRI for an IPsec policy and apply the IPsec policy.
Page 302
Examples # Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network 3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop. <Sysname> system-view [Sysname] ike peer 1 [Sysname-ike-peer-1] remote-address 1.1.1.2 [Sysname-ike-peer-1] quit [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0...
# Configure dynamic IPsec RRI to create static routes based on IPsec SAs. Take 1.1.1.3 as the next hop. [Sysname] ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 [Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. The expected route appears in the routing table after the IPsec SA negotiation succeeds.
When you change the route preference, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new preference only to subsequent static routes. It does not delete or modify static routes it has created. Examples # Set the preference to 100 for static routes populated by IPsec RRI.
sa authentication-hex Use sa authentication-hex to configure an authentication key for an SA. Use undo sa authentication-hex to remove the configuration. Syntax sa authentication-hex { inbound | outbound } { ah | esp } [ cipher | simple ] hex-key undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view...
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple aabbccddeeff001100aabbccddeeff00 Related commands ipsec policy (system view) sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.
[Sysname-ipsec-profile-profile1] sa duration time-based 7200 # Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes). <Sysname> system-view [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 Related commands • ipsec sa global-duration • ipsec policy (system view) •...
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel. Examples # Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. Examples # Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA. Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.
aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used. This protection mode is not available for IPv6 data flow. Usage guidelines With an IKE-dependent IPsec policy configured, data flows can be protected in two modes: •...
Default The ESP protocol is used. Views IPsec transform set view Default command level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol. Examples # Configure IPsec transform set prop1 to use AH.
A manual IPsec policy can reference only one IPsec transform set. To replace a referenced IPsec transform set, use the undo transform-set command to remove the original transform set binding and then use the transform-set command to reconfigure one. An IKE negotiated IPsec policy can reference up to six IPsec transform sets. The IKE negotiation process will search for and use the exactly matched transform set.
The local address, if not configured, will be the address of the interface to which the IPsec policy is applied. Examples # Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1. <Sysname> system-view [Sysname] interface loopback 0 [Sysname-LoopBack0] ip address 10.0.0.1 32 [Sysname-LoopBack0] quit [Sysname] ipsec policy policy1 100 manual...
IKE configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method. <Sysname> system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] authentication-method pre-share Related commands •...
Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, group2 (1024-bit Diffie-Hellman group) is used. In non-FIPS mode, group1 (768-bit Diffie-Hellman group) is used. Views IKE proposal view Default command level 2: System level...
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays information about all DPD detectors. Examples # Display information about all DPD detectors.
Examples # Display information about all IKE peers. <Sysname> display ike peer --------------------------- IKE Peer: rtb4tunn exchange mode: main on phase 1 pre-shared-key ****** peer id type: ip peer ip address: 44.44.44.55 local ip address: peer name: nat traversal: disable dpd: dpd1 --------------------------- Table 47 Command output...
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines This command displays the configuration information of all IKE proposals in the descending order of proposal priorities.
Page 321
Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range of 1 to 2000000000. remote: Displays detailed information about IKE SAs with a specific remote address. ipv6: Specifies an IPv6 address. ip-address: Specifies the remote address.
Page 322
Field Description The phase the SA belongs to: • Phase 1—The phase for establishing the ISAKMP SA. phase • Phase 2—The phase for negotiating the security service. IPsec SAs are established in this phase. Interpretation domain to which the SA belongs: •...
Page 323
remote ip: 4.4.4.5 connection id: 2 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82480 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the remote address of 4.4.4.5. <Sysname>...
Field Description remote id Identifier of the remote security gateway. local ip IP address of the local gateway. remote ip IP address of the remote gateway. connection id Identifier of the IKE SA and IPsec SA. authentication-method Authentication method used by the IKE proposal. authentication-algorithm Authentication algorithm used by the IKE proposal.
encryption-algorithm Use encryption-algorithm to specify an encryption algorithm for an IKE proposal. Use undo encryption-algorithm to restore the default. Syntax encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc } undo encryption-algorithm Default In FIPS mode, an IKE proposal uses the 128-bit AES-CBC encryption algorithm in CBC mode. In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.
Views IKE peer view Default command level 2: System level Parameters aggressive: Specifies the aggressive mode. This keyword is not available in FIPS mode. main: Specifies the main mode. Usage guidelines When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, Hewlett Packard Enterprise recommends setting the IKE negotiation mode to aggressive at the local end.
If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway, for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for the local security gateway, for example, test@foo.bar.com. Examples # Use the ID type of name during IKE negotiation.
<Sysname> system-view [Sysname] ike dpd dpd2 Related commands • display ike dpd • interval-time • time-out ike local-name Use ike local-name to configure a name for the local security gateway. Use undo ike local-name to restore the default. Syntax ike local-name name undo ike local-name Default The device name is used as the name of the local security gateway.
ike next-payload check disabled Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero. Use undo ike next-payload check disabled to restore the default.
Use undo ike proposal to delete an IKE proposal. Syntax ike proposal proposal-number undo ike proposal proposal-number Views System view Default command level 2: System level Parameters proposal-number: Specifies the IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.
Views System view Default command level 2: System level Parameters seconds: Specifies the transmission interval of ISAKMP SA keepalives in seconds, in the range of 20 to 28,800. Usage guidelines The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end.
Related commands ike sa keepalive-timer interval ike sa nat-keepalive-timer interval Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval. Use undo ike sa nat-keepalive-timer interval to disable the function. Syntax ike sa nat-keepalive-timer interval seconds undo ike sa nat-keepalive-timer interval Default The NAT keepalive interval is 20 seconds.
Examples # Set the DPD interval to 1 second for dpd2. <Sysname> system-view [Sysname] ike dpd dpd2 [Sysname-ike-dpd-dpd2] interval-time 1 local Use local to set the subnet type of the local security gateway for IKE negotiation. Use undo local to restore the default. Syntax local { multi-subnet | single-subnet } undo local...
Views IKE peer view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. ip-address: Specifies the IP address of the local security gateway to be used in IKE negotiation. Examples # Set the IP address of the local security gateway to 1.1.1.1. <Sysname>...
Related commands • remote-name • id-type nat traversal Use nat traversal to enable the NAT traversal function of IKE/IPsec. Use undo nat traversal to disable the NAT traversal function of IKE/IPsec. Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level...
Examples # Set the subnet type of the peer security gateway to multiple. <Sysname> system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] peer multi-subnet pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax In FIPS mode: pre-shared-key [ [ cipher | simple ] key ]...
undo proposal [ proposal-number ] Default An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view. Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Specifies the sequence number of the IKE proposal for the IKE peer to reference, in the range of 1 to 65535.
dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name. low-ip-address: Specifies the IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses.
Parameters name: Specifies the name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator.
flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT RK--REKEY <Sysname> reset ike sa 2 <Sysname> display ike sa total phase-1 SAs: connection-id peer flag phase ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO——TIMEOUT RK--REKEY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.
Page 341
Use undo time-out to restore the default. Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: Specifies the DPD packet retransmission interval in seconds, in the range of 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds.
SSH configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts.
Page 344
Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users.
sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled. Views System view Default command level 3: Manage level...
<Sysname> system-view [Sysname] sftp server idle-timeout 500 Related commands display ssh server ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of connection authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries times undo ssh server authentication-retries...
Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The authentication timeout timer is 60 seconds. Views System view Default command level 3: Manage level Parameters time-out-value: Specifies an authentication timeout timer in seconds, in the range of 1 to 120. Usage guidelines If a user does not finish the authentication when the timer expires, the connection cannot be established.
[Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server. Use undo ssh server enable to disable the SSH server function. Syntax ssh server enable undo ssh server enable...
Usage guidelines This command is only available to SSH users that use SSH1 client software. Updating the RSA server key periodically can prevent malicious hacking of the key and enhance security of the SSH connections. The system does not update any DSA key pair periodically. Examples # Set the RSA server key pair update interval to 3 hours.
Page 350
method is supported only when the router acts as an SSH server and uses the HWTACACS server as the remote authentication server. • any: Specifies either password authentication, publickey authentication, or keyboard-interactive authentication. • password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.
SSH client configuration commands Use bye to terminate the connection with the SFTP server and return to user view. Syntax Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server.
cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Default command level 3: Manage level Examples # Return to the upper-level directory from the current working directory /new1. sftp-client> cdup Current Directory is: delete Use delete to delete files from a server.
Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the names of the files and sub-directories under the specified directory. -l: Displays detailed information about the files and sub-directories under the specified directory in the form of a list.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If neither source IP address nor source interface is specified for the SFTP client, the system displays the message "Neither source IP address nor source interface was specified for the SFTP client."...
display ssh server-info Use display ssh server-info on a client to display mappings between SSH servers and their host public keys on an SSH client. Syntax display ssh server-info [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server. sftp-client> exit Connection closed. <Sysname> Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views...
Page 357
Parameters all: Displays all commands. command-name: Specifies a command. Usage guidelines If you do not specify any argument or keyword, the command displays all commands in a list. Examples # Display the help information of the get command. sftp-client> help get get remote-path [local-path] Download file.Default local-path is the same as remote-path...
mkdir Use mkdir to create a directory on the SFTP server. Syntax mkdir remote-path Views SFTP client view Default command level 3: Manage level Parameters remote-path: Specifies a directory on the SFTP server. Examples # Create a directory named test on the SFTP server. sftp-client>...
Default command level 3: Manage level Examples # Display the current working directory of the SFTP server. sftp-client> pwd quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Default command level 3: Manage level Usage guidelines...
The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time.Please wait... File successfully Removed rename Use rename to change the name of a file or directory on an SFTP server. Syntax rename oldname newname Views...
• des: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode. prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode. •...
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.
undo sftp client ipv6 source Default An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, Hewlett Packard Enterprise recommends that you specify a loopback interface as the source interface. Examples # Specify the source IP address of the SFTP client as 192.168.0.1.
Page 367
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode.
• The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96. <Sysname> sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username: ssh client authentication server Use ssh client authentication server on the client to configure the host public key of the specified server so that the client can determine whether the server is trustworthy.
Syntax ssh client first-time enable undo ssh client first-time Default The function is enabled. Views System view Default command level 2: System level Usage guidelines Without first-time authentication, a client not configured with the server's host public key does not access the server.
Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, Hewlett Packard Enterprise recommends that you specify a loopback interface as the source interface. Examples # Specify the source IPv6 address as 2:2::2:2 for the Stelnet client.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm.
Page 374
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96. Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature.
Field Description Indicates that an IPv6 ACL is configured in the outbound Out-bound Policy direction of the interface. acl6 IPv6 ACL number. Indicates the packets permitted by IPv6 ACL rules: the 0 packets, 0 bytes, 0% permitted number of packets and bytes, and the percentage of the permitted to the total.
Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Parameters all: Specifies all interface cards. slot slot-number: Specifies the interface card in the specified slot. (In standalone mode.) chassis chassis-number slot slot-number: Specifies an interface card in an IRF member device. The chassis-number argument represents the IRF member ID of the device.
undo firewall ipv6 enable Default The IPv6 firewall function is disabled. Views System view Default command level 2: System level Examples # Enable the IPv6 firewall function. <Sysname> system-view [Sysname] firewall ipv6 enable firewall packet-filter Use firewall packet-filter to configure IPv4 packet filtering on the interface. Use undo firewall packet-filter to cancel the configuration.
firewall packet-filter ipv6 Use firewall packet-filter ipv6 to configure IPv6 packet filtering on the interface. Use undo firewall packet-filter ipv6 to remove the IPv6 packet filtering setting on the interface. Syntax firewall packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound } undo firewall packet-filter ipv6 [ { acl6-number | name acl6-name } ] { inbound | outbound } Default IPv6 packets are not filtered on the interface.
interface interface-type interface-number: Clears the packet filtering statistics on the specified interface of the IPv6 firewall. Examples # Clear the packet filtering statistics on GigabitEthernet 3/0/1 of the IPv6 firewall. <Sysname> reset firewall ipv6 statistics interface gigabitethernet 3/0/1 Related commands display firewall ipv6 statistics reset firewall-statistics Use reset firewall-statistics to clear the packet filtering statistics of the IPv4 firewall.
Usage guidelines A defined ASPF policy can be applied through its policy number. Examples # Create an ASPF policy and enter the corresponding ASPF policy view. <Sysname> system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] display aspf all Use display aspf all to view information about all ASPF policies. Syntax display aspf all [ | { begin | exclude | include } regular-expression ] Views...
Field Description icmp-error drop Drop ICMP error messages. tcp syn-check Drop any non-SYN packet that is the first packet over a TCP connection. undo icmp-error drop Do not drop ICMP error messages. Do not drop a non-SYN packet that is the first packet over a TCP undo tcp syn-check connection.
display aspf policy Use display aspf policy to view information about an ASPF policy. Syntax display aspf policy aspf-policy-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99.
Default command level 1: Monitor level Parameters application-name: Name of the application to be used for port mapping. Available applications include FTP, H323, HTTP, HTTPS, IKE, RTSP, SMTP, SSH, and VAM. port port-number: Specifies to display port mapping information on the specified port. The port number is in the range of 0 to 65535.
Syntax firewall aspf aspf-policy-number { inbound | outbound } undo firewall aspf aspf-policy-number { inbound | outbound } Default No ASPF policy is applied on the interface. Views Interface view Default command level 2: System level Parameters aspf-policy-number: Specifies the number of an ASPF policy, in the range of 1 to 99. inbound: Applies ASPF policy to inbound packets.
port-mapping Use port-mapping to map a port to an application layer protocol. Use undo port-mapping to remove a port mapping entry. Syntax port-mapping application-name port port-number [ acl acl-number ] undo port-mapping [ application-name port port-number [ acl acl-number ] ] Default There is no mapping between the port and the application layer.
Page 388
Examples # Configure ASPF policy 1 to drop any non-SYN packet which is the first packet over a TCP connection. <Sysname> system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] tcp syn-check Related commands aspf-policy...
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols vary with device models.
Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument specifies the ID of the IRF member device.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 395
display session statistics [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides.
Dropped TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 byte(s) Dropped ICMP: 0 packet(s) 0 byte(s) Dropped RAWIP: 0 packet(s) 0 byte(s) Table 63 Command output Field Description Current session(s) Total number of sessions. Current TCP session(s) Number of TCP sessions. Half-Open Number of TCP sessions in the half-open state.
Page 397
Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument specifies the ID of the IRF member device.
source-ip source-ip: Clears the sessions with the specified source IP address of the initiator. destination-ip destination-ip: Clears the sessions with the specified destination IP address of the initiator. protocol-type { icmp | raw-ip | tcp | udp }: Clears the sessions of the specified protocol type. The protocol types include ICMP, Raw IP, TCP, and UDP.
<Sysname> reset session statistics session aging-time Use session aging-time to set the aging timer for sessions of a specified protocol that are in a specified state. Use undo session aging-time to restore the default. If no keyword is specified, the command restores the session aging timers for all protocol states to the defaults.
• TCP ESTABLISHED state: 3600 seconds. • UDP OPEN state: 30 seconds. • UDP READY state: 60 seconds. To display the session aging timers in different protocol states, use the display session aging-time command. Examples # Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds. <Sysname>...
Default The session aging time is not shortened. Views System view Default command level 2: System level Parameters shorten-time: Specifies the time value to shorten the session aging time. The value range is 5 to 100000 seconds. threshold-high-value: Specifies the upper threshold for the session ratio. The value range is 1 to 100 percent.
Parameters bytes-value: Byte count threshold for session logging, in the range of 1 to 1000 megabytes. Examples # Set the byte count threshold for session logging to 10 megabytes. <Sysname> system-view [Sysname] session log byte-active 10 session log enable Use session log enable to enable the session logging function. Use undo session log enable to disable the session logging function.
session log packets-active Use session log packets-active to set the packet count threshold for session logging. Use undo session log packets-active to restore the default. Syntax session log packets-active packets-value undo session log packets-active Default The system does not output session logs based on the packet count threshold. Views System view Default command level...
session max-entries Use session max-entries to set the maximum number of sessions. Use undo session max-entries to cancel the upper limit. Syntax In standalone mode: session max-entries max-entries slot slot-number undo session max-entries [ max-entries ] slot slot-number In IRF mode: session max-entries max-entries chassis chassis-number slot slot-number undo session max-entries [ max-entries ] chassis chassis-number slot slot-number Default...
Page 407
Default No persistent session rule is specified. Views System view Default command level 2: System level Parameters acl-number: Specifies an ACL number in the range of 2000 to 3999. aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value range for the time-value argument is 0 to 360 and defaults to 24.
Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy.
Field Description limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule. Within a connection limit policy, the criteria of each rule must be unique. Use undo limit to remove a connection limit policy rule.
Page 411
per-source-destination: Limits connections by source-destination IP address pair. Usage guidelines The connection limit rules become invalid when the VPN with which the rules are associated are removed. The connection limit rules in a policy are matched in ascending order of rule ID. Take the match order into consideration when assigning the rules IDs.
Table 66 Command output Field Description Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. <Sysname> display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered.
# Display Java blocking information for a specific suffix keyword. <Sysname> display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords. <Sysname> display firewall http java-blocking all Match-Times Keywords ----------------------------------------------...
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays brief information about URL address filtering.
Page 416
Syntax display firewall http url-filter parameter [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all filtering keywords. item keywords: Specifies a filtering keyword.
qqqqq Table 70 Command output Field Description Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword. # Display detailed information about URL parameter filtering. <Sysname> display firewall http url-filter parameter verbose URL-filter parameter is enabled. There are 10 packet(s) being filtered.
firewall http activex-blocking enable Use firewall http activex-blocking enable to enable the ActiveX blocking function and add the default blocking keyword .ocx to the ActiveX blocking suffix list. Use undo firewall http activex-blocking enable to disable the ActiveX blocking function. Syntax firewall http activex-blocking enable undo firewall http activex-blocking enable...
Examples # Add .vbs to the ActiveX blocking suffix list. <Sysname> system-view [Sysname] firewall http activex-blocking suffix .vbs Related commands display firewall http activex-blocking firewall http java-blocking acl Use firewall http java-blocking acl to specify an ACL for Java blocking. Use undo firewall http java-blocking acl to cancel the configuration.
Default The URL address filtering function denies web requests using IP addresses for access to websites. Views System view Default command level 2: System level Parameters deny: Specifies to deny a web request whose destination URL is present in IP address. permit: Specifies to permit a web request whose destination URL is present in IP address.
Table 71 Wildcard meanings Wildcard Meaning Usage guidelines Matches website addresses It can be present once at the starting with the keyword beginning of a filtering entry. Matches website addresses It can be present once at the end ending with the keyword of a filtering entry.
Page 425
Syntax firewall http url-filter parameter { default | keywords keywords } undo firewall http url-filter parameter [ default | keywords keywords ] Views System view Default command level 2: System level Parameters default: Specifies to use the default parameter filtering entries, including: ^select$, ^insert$, ^update$, ^delete$, ^drop$, --, ', ^exec$, and %27.
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.
Syntax attack-defense tcp fragment enable undo attack-defense tcp fragment enable Default TCP fragment attack protection is disabled. Views System view Default command level 2: System level Usage guidelines This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks. Examples # Disable TCP fragment attack protection.
blacklist ip Use blacklist ip to add a blacklist entry. After an IP address is added to the blacklist, the device filters all packets from it. Use undo blacklist to delete blacklist entries or cancel the aging time configuration of a blacklist entry.
Default The device does not process the attack packets if it detects an ICMP flood attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop ICMP flood attack packets. <Sysname>...
defense icmp-flood ip Use defense icmp-flood ip to configure the action and silence thresholds for ICMP flood attack protection of a specific IP address. Use undo defense icmp-flood ip to remove the configuration. Syntax defense icmp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense icmp-flood ip ip-address [ rate-threshold ] Default No ICMP flood attack protection thresholds are configured for an IP address.
defense icmp-flood rate-threshold Use defense icmp-flood rate-threshold to configure the global action and silence thresholds for ICMP flood attack protection. The device uses the global attack protection thresholds to protect IP addresses for which you do not configure attack protection parameters specifically. Use undo defense icmp-flood rate-threshold to restore the default.
defense scan add-to-blacklist Use defense scan add-to-blacklist to enable the blacklist function for scanning attack protection. Use undo defense scan add-to-blacklist to restore the default. Syntax defense scan add-to-blacklist undo defense scan add-to-blacklist Default The blacklist function for scanning attack protection is not enabled. Views Attack protection policy view Default command level...
• defense scan enable • defense scan max-rate defense scan blacklist-timeout Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack protection. Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes. Syntax defense scan blacklist-timeout minutes undo defense scan blacklist-timeout...
Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold.
Related commands • blacklist enable • defense scan add-to-blacklist • defense scan blacklist-timeout • defense scan enable defense syn-flood action Use defense syn-flood action to specify the actions to be taken in response to SYN flood attack packets. Use undo defense syn-flood action to restore the default. Syntax defense syn-flood action { drop-packet | trigger-tcp-proxy } undo defense syn-flood action...
of SYN packets destined for the specified IP address drops below the silence threshold, it considers that the attack is over, returns to attack detection state, and stops taking the protection measures. Usage guidelines You can specify a maximum of 32 protected IP addresses in each attack protection policy. Examples # Configure SYN flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000 packets per second and the silence threshold to 1000 packets per second.
Usage guidelines Adjust the thresholds according to your actual network conditions. For the protected objects that usually have high SYN traffic, for example, HTTP server or FTP server, set a bigger action threshold to avoid impact on normal services. For poor network conditions, or attack-sensitive networks, you can set a smaller action threshold.
packets destined for the specified IP address constantly reaches or exceeds the specified action threshold, the device considers the IP address to be under attack, enters attack protection state, and takes protection actions as configured. low rate-number: Sets the silence threshold for UDP flood attack protection of the specified IP address.
reaches or exceeds the specified action threshold, the device considers the IP address to be under attack, enters attack protection state, and takes protection actions as configured. low rate-number: Sets the global silence threshold for UDP flood attack protection. The rate-number argument indicates the number of UDP packets sent to an IP address per second and is in the range of 1 to 64000.
Page 445
Examples # Display configuration information about attack protection policy 1. <Sysname> display attack-defense policy 1 Attack-defense Policy Information ------------------------------------------------------------ Policy number Bound interfaces : GigabitEthernet3/0/1 ------------------------------------------------------------ Smurf attack-defense : Enabled ICMP redirect attack-defense : Disabled ICMP unreachable attack-defense : Disabled Large ICMP attack-defense : Enabled Max-length...
Page 446
SYN Flood attack-defense for specific IP addresses: High-rate(packets/s) Low-rate(packets/s) 192.168.1.1 1000 192.168.2.1 2000 1000 Table 73 Command output Filed Description Policy number Sequence number of the attack protection policy. Bound interfaces Interfaces to which the attack protection policy is applied. Smurf attack-defense Indicates whether Smurf attack protection is enabled.
Filed Description UDP flood low-rate Global silence threshold for UDP flood attack protection. UDP flood attack on IP UDP flood attack protection settings for specific IP addresses. SYN flood attack-defense Indicates whether SYN flood attack is enabled. Action to be taken when a SYN flood attack is detected. It can SYN flood action be Drop-packet (dropping subsequent packets) or Syslog (outputting an alarm log).
Field Description LAND attacks Number of detected Land attacks. LAND attack packets dropped Number of Land packets dropped. Large ICMP attacks Number of detected large ICMP attacks. Large ICMP packets dropped Number of large ICMP packets dropped. Route record attacks Number of detected Route Record attacks.
Page 450
Views Any view Default command level 1: Monitor level Parameters all: Displays information about all blacklist entries. ip source-ip-address: Displays information about the blacklist entry for an IP address. source-ip-address indicates the IP address, which cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
Field Description Type of the blacklist entry: • manual—The entry was added manually. Type • auto—The entry was added automatically by the scanning attack protection function. Aging started Time when the blacklist entry is added. Aging time of the blacklist entry. Never means that the entry never Aging finished gets aged.
Page 452
chassis chassis-number slot slot-number: Displays traffic statistics on a card of an IRF member device. The chassis-number argument refers to the ID of the IRF member device. The slot-number argument refers to the number of the slot where the card resides. (In IRF mode.) |: Filters command output by specifying a regular expression.
Table 77 Command output Field Description Total number of existing sessions Total number of connections. Session establishment rate Connection establishment rate. TCP sessions Number of TCP connections. Half-open TCP sessions Number of half-open connections. Half-close TCP sessions Number of half-close connections. TCP session establishment rate TCP connection establishment rate.
Examples # Display information about all IP addresses protected by the TCP proxy function. <Sysname> display tcp-proxy protected-ip Protected IP Port Number Type Lifetime(min) Rejected packets 1.1.1.1 Dynamic Table 78 Command output Field Description Protected IP IP address under the protection of TCP proxy. Destination port number of the TCP connection request.
<Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] flow-statistics enable destination-ip # You can use the following command to view statistics on packets sent out of the interface with the destination IP address being 2.2.2.2 (you can specify the destination IP address as needed). [Sysname-GigabitEthernet3/0/1] display flow-statistics statistics destination-ip 2.2.2.2 Related commands display flow-statistics statistics...
Parameters fraggle: Specifies the Fraggle packet attack. icmp-redirect: Specifies the ICMP redirect packet attack. icmp-unreachable: Specifies the ICMP unreachable packet attack. land: Specifies the Land packet attack. large-icmp: Specifies the large ICMP packet attack. route-record: Specifies the route record packet attack. smurf: Specifies the Smurf packet attack.
Views Interface view Default command level 2: System level Usage guidelines Usually, the TCP proxy function is used on a device's interfaces connected to external networks to protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection actions configured by using the defense syn-flood action command.
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters...
098c3280 0.0.0.0:23 0.0.0.0:0 Listening 098c3d20 0.0.0.0:646 0.0.0.0:0 Listening Table 79 Command output Field Description If the status information about a TCP connection contains an asterisk (*), the *: TCP MD5 Connection TCP adopts the MD5 algorithm for authentication. TCPCB TCP control block. Local Add:port Local IP address and port number.
undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number Default The maximum number of TCP connections in each state is 5. Views System view Default command level 2: System level Parameters closing: Specifies the CLOSING state of a TCP connection. established: Specifies the ESTABLISHED state of a TCP connection.
Views System view Default command level 2: System level Examples # Enable the SYN Cookie feature. <Sysname> system-view [Sysname] tcp syn-cookie enable tcp timer check-state Use tcp timer check-state to configure the TCP connection state check interval. Use undo tcp timer check-state to restore the default. Syntax tcp timer check-state time-value undo tcp timer check-state...
IP source guard configuration commands IP source guard configuration commands are available only for SAP interface modules operating in Layer 2 mode. display ip source binding Use display ip source binding to display IPv4 source guard entries. Syntax In standalone mode: display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]...
When you use the static keyword, the command displays static IPv4 source guard entries. If you specify neither a port nor an interface card, the command displays static IPv4 source guard entries on all ports. Examples # Display all IPv4 source guard entries. <Sysname>...
Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port. Usage guidelines After you enable the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries or the DHCP-relay entries, and all static IPv4 source guard entries on the port become effective.
Page 469
Usage guidelines If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected. New IPv4 binding entries, however, cannot be added any more unless the number of IPv4 binding entries on the port drops below the configured maximum.
[Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about the current ARP source suppression configuration.
slot slot-number: Specifies a card by its slot number. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument specifies the ID of the IRF member device. The slot-number argument specifies the slot number of the card. (In IRF mode.) Examples # Specify the ARP packet rate for the card in slot 1 as 50 pps, and exceeded packets are discarded.
Syntax arp anti-attack active-ack enable undo arp anti-attack active-ack enable Default The ARP active acknowledgement function is disabled. Views System view Default command level 2: System level Usage guidelines This feature is configured on gateway devices to identify invalid ARP packets. Examples # Enable the ARP active acknowledgement function.
ARP detection configuration commands NOTE: The commands of this feature are supported only when SAP modules operate in bridge mode. arp detection Use arp detection to configure a user validity check rule. Use undo arp detection to restore the default. Syntax arp detection id-number { deny | permit } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ]...
Examples # Configure GigabitEthernet 3/0/1 as an ARP trusted port. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check.
arp filter source Use arp filter source to enable ARP gateway protection for a specific gateway. Use undo arp filter source to disable ARP gateway protection for the specified gateway. Syntax arp filter source ip-address undo arp filter source ip-address Default ARP gateway protection is disabled.
Page 483
Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default command level 2: System level Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address. Usage guidelines You can configure up to eight ARP filtering entries on a port. You cannot configure both arp filter source and arp filter binding commands on a port.
URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled.
FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled Related commands fips mode enable...
Configure the username and password to log in to the device in FIPS mode. The password must include at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. Delete all MD5-based digital certificates. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
Page 488
If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms. <Sysname> system-view [Sysname] fips self-test Self-tests are running. Please wait... Self-tests succeeded.
Group Domain VPN commands KS configuration commands display gdoi ks Use display gdoi ks to display GDOI KS information. Syntax display gdoi ks [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
Page 490
<Sysname> display gdoi ks Group Name: abc Group identity Group members Redundancy : Enabled Local address : 105.112.100.2 Local version : 1.0 Local priority : 10 Local role : Primary Hello interval : 20 sec Hello number Retransmit interval : 10 sec Retransmit attempts Rekey transport type : Multicast...
ACL configured : 3001 Table 83 Command output Field Description Group Name Name of the GDOI KS group. KS group identity, a number or an IPv4 address. If no identity is configured, Group identity this field is blank. Group members Number of online GMs in the GDOI KS group.
If you do not specify the ip ip-address option, the command displays information about all online GMs in the specified GDOI KS group. If you do not specify any parameter, the command displays information about all online GMs in all GDOI KS groups.
Page 494
Syntax display gdoi ks policy [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays policy information for all GDOI KS groups.
Field Description Remaining lifetime Remaining time of the KEK or TEK lifetime. Signature key name Name of the key pair used for signature. Encapsulation IPsec encapsulation mode for IP packets: Tunnel or Transport. Number or name of the ACL referenced. Transform Name of the IPsec transform set referenced.
Peer address : 172.1.1.1 Peer version : 1.0 Peer priority : 100 Peer role : Secondary Peer status : Ready Table 87 Command output Field Description Group Name GDOI KS group name. Role of the local KS in the redundancy: •...
Page 497
Examples # Display rekey information for all GDOI KS groups. <Sysname> display gdoi ks rekey Group Name: handl Rekey transport type : Multicast Number of rekeys sent Number of rekeys retransmitted Retransmit period : 10 sec Number of retransmissions : 10 Multicast destination address : 230.1.1.1 KEK rekey lifetime...
Field Description Remaining lifetime Remaining time of the KEK or IPsec SA, in seconds. gdoi ks group Use gdoi ks group to create a GDOI KS group and enter GDOI KS group view. Use undo gdoi ks group to delete a GDOI KS group. Syntax gdoi ks group group-name undo gdoi ks group group-name...
Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines A GDOI KS uses the UDP port number configured in this command to send and receive redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use the same UDP port number.
Syntax identity address address undo identity Default No IP address is configured for a GDOI KS group. Views GDOI KS group view Default command level 2: System level Parameters address: Specifies any valid IPv4 address to identify the GDOI KS group. Usage guidelines You can configure only one type of ID (either an IP address or a number) for a GDOI KS group.
Examples # Configure the number of the GDOI KS group abc as 123456. <Sysname> system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] identity number 123456 Related commands • identity address • gdoi ks group ipsec Use ipsec to create an IPsec policy for the GDOI KS group and enter GDOI KS IPsec policy view. Use undo ipsec to delete an IPsec policy for the GDOI KS group.
Syntax local priority priority undo local Default The local priority of the GDOI KS is 1. Views GDOI KS group view Default command level 2: System level Parameters priority: Specifies the local priority of the GDOI KS, in the range of 1 to 65535. A higher number represents a higher priority.
Default command level 2: System level Parameters ip-address: Specifies the IP address of a peer KS. Usage guidelines You can specify multiple peer KS IP addresses by executing this command multiple times. The peer IP address configuration takes effect only when KS redundancy is enabled with the redundancy enable command.
Default The redundancy hello packet sending interval for the primary KS is 20 seconds. A secondary KS initiates primary KS re-election when it failed to receive redundancy hello packets from the primary KS for 3 times consecutively. Views GDOI KS group view Default command level 2: System level Parameters...
Default The retransmission interval is 10 seconds, and the maximum number of retransmissions is 2. Views GDOI KS group view Default command level 2: System level Parameters interval interval: Specifies the redundancy protocol packet retransmission interval in the range of 10 to 60 seconds.
Parameters access-list-number: Specifies an ACL by its number in the range of 3000 to 3999. name access-list-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If multicast rekey method is used, you must specify the rekey ACL. Otherwise, the KS cannot generate the KEK or send rekey messages.
Examples # Specify the rekey key pair as mykey for the GDOI KS group abc. <Sysname> system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey authentication public-key rsa mykey Related commands gdoi ks group rekey encryption Use rekey encryption to specify the rekey encryption algorithm. Use undo rekey encryption to restore the default.
Views GDOI KS group view Default command level 2: System level Parameters seconds number-of-seconds: Specifies a time-based lifetime for KEKs, in the range of 300 to 86400 seconds. Usage guidelines The TEK lifetime is the IPsec SA lifetime, which is determined by the IPsec SA lifetime configured in the IPsec profile.
Related commands gdoi ks group rekey transport unicast Use rekey transport unicast to enable unicasting rekey messages. Use undo rekey transport unicast to restore the default. Syntax rekey transport unicast undo rekey transport unicast Default The KS multicasts rekey messages. Views GDOI KS group view Default command level...
<Sysname> reset gdoi ks group abc reset gdoi ks members Use reset gdoi ks members to clear GM information saved on the KS, including the GM registration information and the TEKs/KEKs sent to GMs. Syntax reset gdoi ks members [ group group-name ] Views User view Default command level...
security acl (GDOI KS group IPsec policy view) Use security acl to reference an ACL for the GDOI KS IPsec policy. Use undo security acl to remove the referenced ACL. Syntax security acl { access-list-number | name access-list-name} undo security acl Default No ACL is referenced.
Views GDOI KS group view Default command level 2: System level Parameters ip-address: Specifies any valid IPv4 address. Usage guidelines Perform this task to specify the source address for GROUPKEY-PUSH protocol packets and redundancy protocol packets sent by the KS. Examples # Specify the source address for the GDOI KS group abc as 11.1.1.1.
<Sysname> system-view [Sysname] gdoi gm group abc [Sysname-gdoi-gm-group-abc] client registration interface gigabitethernet 1/0/1 Related commands gdoi gm group display gdoi gm Use display gdoi gm to display GDOI GM group information, including GDOI configuration parameters, negotiation parameters, and the IPsec information obtained after successful registrations.
Page 515
Attempted registrations : 1133 Last rekey from : 90.1.1.1 Last rekey seq num Multicast rekeys received: 1 Allowable rekey cipher : Any Allowable rekey hash : Any Allowable transform : Any Rekeys Cumulative Total received After latest registration: 3 Rekey received (hh:mm:ss): 00:02:11 ACL Downloaded From KS 90.1.1.1: rule 0 deny udp source-port eq 848 destination-port eq 848 rule 1 deny ospf...
Page 516
Field Description Rekeys Received Number of rekey messages received. IPsec SA direction: Both or Inbound (not supported at IPsec SA Direction present). KS IP address list in the GDOI GM group. The list can Group Server List contain eight addresses at most. Group Member IP address of the GM.
Field Description Indicates that any UDP packets whose source and rule 0 deny udp source-port eq 848 destination port numbers are both 848 do not need to destination-port eq 848 be protected by IPsec. Indicates that OSPF protocol packets do not need to be rule 1 deny ospf protected by IPsec.
Page 518
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameter, the command displays information about all ACLs for all GMs, including the downloaded ACLs and the locally configured ACLs.
Field Description Indicates that IPsec does not protect IP packets whose rule 0 deny ip source 10.1.1.0 0.0.0.255 source and destination addresses are within subnet destination 10.1.1.0 0.0.0.255 10.1.1.0/24. display gdoi gm ipsec sa Use display gdoi gm ipsec sa to display IPsec SA information obtained by GMs. Syntax display gdoi gm ipsec sa [ group group-name ] [ | { begin | exclude | include } regular-expression ]...
SA timing: remaining key lifetime (sec): 190 Anti-replay detection: Disabled Table 91 Command output Field Description Interface Name of the interface bound to the IPsec SA. Transform Transform set. remaining key lifetime (sec) Remaining lifetime of the IPsec SA, in seconds. Time-based anti-replay window size, in seconds.
Page 521
Registration status : Registered Registered with : 90.1.1.1 Re-register in : 308 sec Succeeded registrations : 1131 Attempted registrations : 1139 Last rekey from : 90.1.1.1 Last rekey seq num Multicast rekeys received: 1 Allowable rekey cipher : Any Allowable rekey hash : Any Allowable transform : Any...
Field Description The rekey transform mode that the GM allows. Any Allowable transform indicates that the GM allows all transform modes. display gdoi gm pubkey Use display gdoi gm pubkey to display the public key information received by GMs. Syntax display gdoi gm pubkey [ group group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Destination Source Conn-ID My Cookie His Cookie : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504 Current : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504 Previous : --- Table 94 Command output Field Description Group Name GDOI GM group name. Unicast Indicates the rekey transport type is unicast. Multicast Indicates the rekey transport type is multicast.
The device supports 64 GDOI GM groups at most. Examples # Create a GDOI GM group named abc, and enter its view. <Sysname> system-view [Sysname] gdoi gm group abc [Sysname-gdoi-gm-group-abc] Related commands display gdoi gm group Use group to specify the GDOI GM group to be referenced by the GDOI IPsec policy. Use undo group to remove the GDOI GM group referenced by the GDOI IPsec policy.
Use undo identity to delete the GDOI GM group ID. Syntax identity { address ip-address | number number } undo identity Default No ID is configured for a GDOI GM group. Views GDOI GM group view Default command level 2: System level Parameters address ip-address: Specifies any valid IPv4 address to identify the GDOI GM group.
Parameters group group-name: Clears the GDOI information of GMs in a GDOI GM group. The group-name argument specifies the name of a GDOI GM group, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays GDOI information for all GMs. Examples # Clear the GDOI information for GMs, and trigger the GMs to re-register with the KS.
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 532
part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Index A B C D E F G H I K L M N O P Q R S T U V W authentication ppp,13 authentication super,14 aaa nas-id profile,1 authentication-algorithm,302 access-limit,35 authentication-method,302 access-limit enable,1 authorization command,15 access-user detect,140 authorization default,16 accounting command,2...