HPE FlexNetwork HSR6800 Security Command Reference

Hide thumbs Also See for FlexNetwork HSR6800:

page of 538

/ 538
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual See also: Configuration Manual

HPE FlexNetwork HSR6800 Routers

Security Command Reference

Part number: 5998-4511R

Software version: HSR6800-CMW520-R3303P25

Document version: 6W105-20151231

Table of Contents

Summary of Contents for HPE FlexNetwork HSR6800

Page 1 HPE FlexNetwork HSR6800 Routers Security Command Reference Part number: 5998-4511R Software version: HSR6800-CMW520-R3303P25 Document version: 6W105-20151231...
Page 2 © Copyright 2015 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents AAA configuration commands ········································································· 1 General AAA configuration commands ·············································································································· 1 aaa nas-id profile ········································································································································ 1 access-limit enable ····································································································································· 1 accounting command ································································································································· 2 accounting default ······································································································································ 3 accounting dvpn ········································································································································· 3 accounting lan-access ································································································································ 4 accounting login ········································································································································· 5 accounting optional ····································································································································...
Page 4 data-flow-format (RADIUS scheme view) ································································································ 51 display radius scheme ······························································································································ 52 display radius statistics ···························································································································· 55 display stop-accounting-buffer (for RADIUS) ··························································································· 58 key (RADIUS scheme view) ····················································································································· 60 nas-ip (RADIUS scheme view) ················································································································· 61 primary accounting (RADIUS scheme view) ···························································································· 62 primary authentication (RADIUS scheme view) ·······················································································...
Page 5 dot1x handshake ···································································································································· 116 dot1x handshake secure ························································································································ 117 dot1x mandatory-domain ······················································································································· 118 dot1x max-user ······································································································································ 119 dot1x multicast-trigger ···························································································································· 120 dot1x port-control ··································································································································· 120 dot1x port-method ·································································································································· 121 dot1x quiet-period ·································································································································· 123 dot1x re-authenticate ····························································································································· 123 dot1x retry ·············································································································································· 124 dot1x supp-proxy-check ·························································································································...
Page 6 display port-security mac-address block ································································································ 174 display port-security mac-address security ···························································································· 176 port-security authorization ignore ··········································································································· 177 port-security enable ································································································································ 178 port-security intrusion-mode ··················································································································· 179 port-security mac-address aging-type inactivity ····················································································· 179 port-security mac-address dynamic ······································································································· 180 port-security mac-address security ········································································································ 181 port-security max-mac-count ··················································································································...
Page 7 PKI configuration commands ······································································ 227 attribute ·················································································································································· 227 ca identifier ············································································································································· 228 certificate request entity ························································································································· 228 certificate request from ··························································································································· 229 certificate request mode ························································································································· 229 certificate request polling ······················································································································· 230 certificate request url ······························································································································ 231 common-name ······································································································································· 232 country ···················································································································································...
Page 8 ipsec policy-template ······························································································································ 280 ipsec profile (system view) ····················································································································· 280 ipsec profile (tunnel interface view) ········································································································ 281 ipsec sa global-duration ························································································································· 282 ipsec transform-set ································································································································· 283 pfs ·························································································································································· 283 policy enable ·········································································································································· 284 qos pre-classify ······································································································································ 285 reset ipsec sa ········································································································································· 286 reset ipsec statistics ·······························································································································...
Page 9 display ssh user-information ·················································································································· 330 sftp server enable ··································································································································· 332 sftp server idle-timeout ··························································································································· 332 ssh server authentication-retries ············································································································ 333 ssh server authentication-timeout ·········································································································· 333 ssh server compatible-ssh1x enable ······································································································ 334 ssh server enable ··································································································································· 335 ssh server rekey-interval ························································································································ 335 ssh user ··················································································································································...
Page 10 tcp syn-check ········································································································································· 374 ALG configuration commands ····································································· 376 alg ·························································································································································· 376 Session management commands ······························································· 377 application aging-time ···························································································································· 377 display application aging-time ················································································································ 377 display session aging-time ····················································································································· 378 display session hardware ······················································································································· 379 display session relation-table ················································································································· 380 display session statistics ························································································································...
Page 11 defense scan add-to-blacklist ················································································································· 422 defense scan blacklist-timeout ··············································································································· 423 defense scan enable ······························································································································ 423 defense scan max-rate ··························································································································· 424 defense syn-flood action ························································································································ 425 defense syn-flood enable ······················································································································· 425 defense syn-flood ip ······························································································································· 426 defense syn-flood rate-threshold ············································································································ 427 defense udp-flood action drop-packet ····································································································...
Page 12 ARP automatic scanning and fixed ARP configuration commands ······························································· 467 arp fixup ················································································································································· 467 arp scan ················································································································································· 468 ARP gateway protection configuration commands ························································································ 468 arp filter source ······································································································································ 469 ARP filtering configuration commands ··········································································································· 469 arp filter binding ······································································································································ 469 ND attack defense configuration commands ··············································...
Page 13 server address ······································································································································· 514 Document conventions and icons ······························································· 515 Conventions ··················································································································································· 515 Network topology icons ·································································································································· 516 Support and other resources ······································································ 517 Accessing Hewlett Packard Enterprise Support ···························································································· 517 Accessing updates ········································································································································· 517 Websites ················································································································································ 518 Customer self repair ······························································································································· 518 Remote support ······································································································································...
Page 14: Aaa Configuration Commands
AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name...
Page 15: Accounting Command
Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of online users helps provide reliable system performance.
Page 16: Accounting Default
accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default. Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default Default The default accounting method of an ISP domain is local.
Page 17: Accounting Lan-Access
Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn Default The default accounting method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting.
Page 18: Accounting Login
Views ISP domain view Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode.
Page 19: Accounting Optional
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured.
Page 20: Accounting Portal
real-time accounting updates for the user. The accounting optional feature applies to scenarios where accounting is not important. After you configure the accounting optional command, the setting configured by the access-limit command in local user view has no effect. Examples # Enable the accounting optional feature for users in domain test.
Page 21: Accounting Ppp
• radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users. Use undo accounting ppp to restore the default. Syntax accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting ppp Default The default accounting method for the ISP domain is used for PPP users.
Page 22: Authentication Default
authentication default Use authentication default to configure the default authentication method for an ISP domain. Use undo authentication default to restore the default. Syntax authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication default Default The default authentication method of an ISP domain is local.
Page 23: Authentication Lan-Access
undo authentication dvpn Default The default authentication method for the ISP domain is used for DVPN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 24: Authentication Login
Default command level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode. The specified RADIUS scheme must have been configured.
Page 25: Authentication Portal
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured.
Page 26: Authentication Ppp
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local authentication for portal users. <Sysname>...
Page 27: Authentication Super
Examples # Configure ISP domain test to use local authentication for PPP users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication ppp local # Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup. <Sysname>...
Page 28: Authorization Command
[Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac Related commands • hwtacacs scheme • radius scheme • super authentication-mode (Fundamentals Command Reference) authorization command Use authorization command to configure the command line authorization method. Use undo authorization command to restore the default. Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }...
Page 29: Authorization Default
• authorization default • hwtacacs scheme authorization default Use authorization default to configure the default authorization method for an ISP domain. Use undo authorization default to restore the default. Syntax authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization default Default...
Page 30: Authorization Dvpn
authorization dvpn Use authorization dvpn to configure the authorization method for DVPN users. Use undo authorization dvpn to restore the default. Syntax authorization dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo authorization dvpn Default The default authorization method for the ISP domain is used for DVPN users. Views ISP domain view Default command level...
Page 31: Authorization Login
Syntax authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access Default The default authorization method for the ISP domain is used for LAN users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization.
Page 32: Authorization Portal
undo authorization login Default The default authorization method for the ISP domain is used for login users. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization.
Page 33: Authorization Ppp
Default The default authorization method for the ISP domain is used for portal users. Views ISP domain view Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly.
Page 34: Authorization-Attribute User-Profile
Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access the network directly.
Page 35: Cut Connection
Views ISP domain view Default command level 3: Manage level Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Usage guidelines After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.
Page 36: Display Connection
domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces are supported.
Page 37 display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 38 If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the device uses the mandatory authentication domain to perform authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain.
Page 39: Display Domain
IP=10.0.0.1 IPv6=N/A Access=Admin ,AuthMethod=PAP Port Type=Virtual ,Port Name=N/A Initial VLAN=999, Authorization VLAN=20 ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable SessionTimeout=60(s), Terminate-Action=Radius-Request Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Chassis 1 slot: Total 0 connection matched. Chassis 1 slot: Total 0 connection matched. Table 1 Command output Field Description...
Page 40 Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression.
Page 41 Self-service : Disabled Authorization attributes : User-profile : profile1 Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Description Domain ISP domain name. Status of the ISP domain: active or blocked. Users in an active State ISP domain can request network services, and users in a blocked ISP domain cannot.
Page 42: Domain
• state domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name Default There is a system predefined ISP domain named system in the system. Views System view Default command level...
Page 43: Domain If-Unknown
Default The default ISP domain is the system predefined ISP domain system. Views System view Default command level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Usage guidelines There can be only one default ISP domain. The specified domain must already exist.
Page 44: Idle-Cut Enable
Usage guidelines The device chooses an authentication domain for each user in the following order: • The authentication domain specified for the access module • The ISP domain in the username • The default ISP domain of the device • The ISP domain specified for users with unknown domain names If all the domains are unavailable, user authentication fails.
Page 45: Ip Pool
Examples # Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] idle-cut enable 50 1024 Related commands domain ip pool Use ip pool to configure an address pool for assigning addresses to PPP users.
Page 46: Nas-Id Bind Vlan
Related commands • ip pool (Layer 2—WAN Command Reference) • remote address (Layer 2—WAN Command Reference) nas-id bind vlan Use nas-id bind vlan to bind a NAS ID with a VLAN. Use undo nas-id bind vlan to remove a NAS ID-VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id...
Page 47: Session-Time Include-Idle-Time
Default The self-service server location function is disabled. Views ISP domain view Default command level 2: System level Parameters url-string: URL of the self-service server, a string of 1 to 64 characters that starts with http:// and contains no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation.
Page 48: State (Isp Domain View)
[Sysname] domain test [Sysname-isp-test] session-time include-idle-time Related commands idle-cut enable state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. Syntax state { active | block } undo state Default An ISP domain is in active state.
Page 49: Authorization-Attribute
Default There is no limit to the number of users who concurrently use the same local user account. Views Local user view Default command level 3: Manage level Parameters max-user-number: Maximum number of concurrent users of the same local user account, ranging from 1 to 1024.
Page 50 callback-number callback-number: Specifies the authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out.
Page 51: Bind-Attribute
[Sysname] local-user abc [Sysname-luser-abc] authorization-attribute vlan 2 # Configure the authorized VLAN of user group abc as VLAN 3. <Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute vlan 3 bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *...
Page 52: Display Local-User
[Sysname] local-user abc [Sysname-luser-abc] bind-attribute ip 3.3.3.3 display local-user Use display local-user to display configuration and statistics information about local users. Syntax In standalone mode: display local-user [ idle-cut { disable | enable } | service-type { dvpn | ftp | lan-access | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] In IRF mode:...
Page 53 exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameter, the command displays information about all local users. If you do not specify a card, the command displays information about local users on all cards.
Page 54 Vlan ID: Authorization attributes: Idle TimeOut: 10(min) Work Directory: cfa0:/ User Privilege: Acl ID: 2000 Vlan ID: User Profile: prof1 Expiration date: 12:12:12-2018/09/16 Password aging: Enabled (30 days) Password length: Enabled (4 characters) Password composition: Enabled (4 types, 2 characters per type) Total 1 local user(s) matched.
Page 55: Display User-Group
display user-group Use display user-group to display the configuration of user groups. Syntax display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters group-name: Specifies a user group name, a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression.
Page 56: Expiration-Date
Field Description VLAN ID Authorized VLAN for the local users in the group. User-Profile User profile for local user authorization. Callback-number Authorized PPP callback number for the local users in the group. Password aging Password aging time for the local users in the group. Password length Minimum password length for the local users in the group.
Page 57: Group
Related commands validity-date group Use group to assign a local user to a user group. Use undo group to restore the default. Syntax group group-name undo group Default A local user belongs to the system default user group system. Views Local user view Default command level 3: Manage level...
Page 58: Local-User
Examples # Set the guest attribute for user group test. <Sysname> system-view [Sysname] user-group test [Sysname-ugroup-test] group-attribute allow-guest local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove the specified local users. Syntax local-user user-name undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ppp | ssh | telnet |...
Page 59: Password
• service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax password [ [ hash ] { cipher | simple } password ] undo password Views Local user view Default command level 2: System level...
Page 60: Service-Type
# Set the password to 123456 in plain text for local user user1, and enable hash-based encryption for the password. <Sysname> system-view [Sysname] local-user user1 [Sysname-luser-user1] password hash simple 123456 Related commands display local-user service-type Use service-type to specify the service types that a user can use. Use undo service-type to delete one or all service types configured for a user.
Page 61: State (Local User View)
state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Default command level 2: System level Parameters...
Page 62: Validity-Date
Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
Page 63: Radius Configuration Commands
[Sysname] local-user abc [Sysname-luser-abc] validity-date 12:10:20-2008/04/30 [Sysname-luser-abc] expiration-date 12:10:20-2008/05/31 Related commands expiration-date RADIUS configuration commands accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to disable the accounting-on feature. Syntax accounting-on enable [ interval seconds | send send-times ] * undo accounting-on enable Default The accounting-on feature is disabled.
Page 64: Attribute 25 Car
attribute 25 car Use attribute 25 car to specify the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters. Use undo attribute 25 car to restore the default. Syntax attribute 25 car undo attribute 25 car Default RADIUS attribute 25 is not interpreted as CAR parameters.
Page 65: Display Radius Scheme
Usage guidelines The unit for data flows and that for packets must be consistent with those on the RADIUS server. Otherwise, accounting cannot be performed correctly. Examples # Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively, in RADIUS scheme radius1.
Page 66 Examples # Display the configuration of all RADIUS schemes. <Sysname> display radius scheme ------------------------------------------------------------------ SchemeName : radius1 Index : 0 Type : extended Primary Auth Server: IP: 1.1.1.1 Port: 1812 State: active Encryption Key : ****** VPN instance Probe username : N/A Probe interval : N/A Primary Acct Server: IP: 1.1.1.1...
Page 67 Table 5 Command output Field Description SchemeName Name of the RADIUS scheme. Index Index number of the RADIUS scheme. Type of the RADIUS server supported on the router: • Extended—The RADIUS server uses the proprietary RADIUS protocol of Hewlett Packard Enterprise for packet exchange. Type •...
Page 68: Display Radius Statistics
Field Description Username format Format of the usernames to be sent to the RADIUS server. Data flow unit Unit for data flows sent to the RADIUS server. Packet unit Unit for packets sent to the RADIUS server. NAS-IP address Source IP address for RADIUS packets to be sent. Attribute 25 Interprets RADIUS attribute 25 as the CAR parameters.
Page 69 Received and Sent packets statistic: Sent PKT total = 1547 Received PKT total = 23 Resend Times Resend total Total 1016 RADIUS received packets statistic: Code = Num = 15 Err = 0 Code = Num = 4 Err = 0 Code = Num = 4 Err = 0...
Page 70 Table 6 Command output Field Description slot Number of the slot in which the card resides. state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started.
Page 71: Display Stop-Accounting-Buffer (For Radius)
Field Description Set policy result Number of responses to the Set policy packets. Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests. RADIUS sent messages statistic Statistics for sent RADIUS messages.
Page 72 Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.
Page 73: Key (Radius Scheme View)
1000326232326010 23:33:01-08/31/2006 Total 2 record(s) Matched Related commands • reset stop-accounting-buffer • stop-accounting-buffer enable • user-name-format • retry • retry stop-accounting key (RADIUS scheme view) Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication }...
Page 74: Nas-Ip (Radius Scheme View)
[Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting simple ok # For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok # For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text.
Page 75: Primary Accounting (Radius Scheme View)
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one. The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes.
Page 76: Primary Authentication (Radius Scheme View)
Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server. The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command.
Page 77 ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address. port-number: Specifies the service port number of the primary RADIUS authentication/authorization server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812. key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS authentication/authorization server.
Page 78: Radius Client
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To ensure that the device can set the server to its actual status, set a longer quiet timer for the primary server with the timer quiet command.
Page 79: Radius Nas-Ip
• If local authentication, authorization, or accounting is configured as the backup, the device performs local authentication, authorization, or accounting instead after the RADIUS request fails. Local accounting is only for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
Page 80: Radius Scheme
Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. <Sysname> system-view [Sysname] radius nas-ip 129.10.10.1 Related commands nas-ip radius scheme Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view. Use undo radius scheme to delete a RADIUS scheme.
Page 81: Reset Radius Statistics
undo radius trap accounting-server-down authentication-error-threshold authentication-server-down } Default The trap function is disabled for RADIUS. Views System view Default command level 2: System level Parameters accounting-server-down: Sends traps when the reachability of the accounting server changes. authentication-error-threshold: Sends traps when the number of authentication failures exceed the specified threshold.
Page 82: Reset Stop-Accounting-Buffer (For Radius)
Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the slot number of the card. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device, and the slot-number argument represents the slot number of the card.
Page 83: Retry
Examples # Clear the stop-accounting requests buffered for user user0001@test. <Sysname> reset stop-accounting-buffer user-name user0001@test # Clear the stop-accounting requests buffered in the time range from 0:0:0 to 23:59:59 on August 31, 2006. <Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006 Related commands •...
Page 84: Retry Realtime-Accounting
retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Default command level 2: System level Parameters...
Page 85: Retry Stop-Accounting (Radius Scheme View)
retry stop-accounting (RADIUS scheme view) Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts. Use undo retry stop-accounting to restore the default. Syntax retry stop-accounting retry-times undo retry stop-accounting Default The maximum number of stop-accounting request transmission attempts is 500. Views RADIUS scheme view Default command level...
Page 86 Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo secondary accounting [ ipv4-address | ipv6 ipv6-address ] Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Default command level...
Page 87: Secondary Authentication (Radius Scheme View)
If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on. If you remove an accounting server being used by online users, the device can no longer send real-time accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting requests.
Page 88 port-number: Specifies service port number secondary RADIUS authentication/authorization server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812. key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary RADIUS authentication/authorization server.
Page 89: Security-Policy-Server
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To make sure the device can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command.
Page 90: Server-Type
Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme.
Page 91: State Primary
state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Default command level...
Page 92: Stop-Accounting-Buffer Enable (Radius Scheme View)
Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.
Page 93: Timer Quiet (Radius Scheme View)
Views RADIUS scheme view Default command level 2: System level Usage guidelines A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request that receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit.
Page 94: Timer Realtime-Accounting (Radius Scheme View)
If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible. Be sure to set the server quiet timer properly.
Page 95: Timer Response-Timeout (Radius Scheme View)
Number of users Real-time accounting interval (in minutes) 500 to 999 1000 or more 15 or longer Examples # Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view)
Page 96: User-Name-Format (Radius Scheme View)
user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views RADIUS scheme view Default command level 2: System level...
Page 97: Hwtacacs Configuration Commands
Default command level 2: System level Parameters vpn-instance-name: Name of the MPLS VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN instance specified here applies to all IPv4 servers in the RADIUS scheme for which no specific VPN instance is specified.
Page 98: Display Hwtacacs
Examples # Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively, in HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet Related commands display hwtacacs display hwtacacs Use display hwtacacs to display the configuration of HWTACACS schemes or the statistics for the HWTACACS servers specified in HWTACACS schemes.
Page 99 <Sysname> display hwtacacs gy -------------------------------------------------------------------- HWTACACS-server template name : gy Primary-authentication-server : 172.31.1.11:49 VPN instance : vpn1 Primary-authorization-server : 172.31.1.11:49 VPN instance : vpn1 Primary-accounting-server : 172.31.1.11:49 VPN instance : vpn1 Secondary-authentication-server : 0.0.0.0:0 VPN instance Secondary-authorization-server : 0.0.0.0:0 VPN instance Secondary-accounting-server : 0.0.0.0:0 VPN instance...
Page 100 Field Description IP address and port number of the currently used authentication Current-authentication-server server. IP address and port number of the currently used authorization Current-authorization-server server. Current-accounting-server IP address and port number of the currently used accounting server. VPN instance MPLS L3VPN to which the server belongs.
Page 101: Display Stop-Accounting-Buffer (For Hwtacacs)
HWTACACS server open number: 1 HWTACACS server close number: 1 HWTACACS author client request packet number: 1 HWTACACS author client response packet number: 1 HWTACACS author client timeout number: 0 HWTACACS author client packet dropped number: 0 HWTACACS author client unknown type number: 0 HWTACACS author client request EXEC number: 1 HWTACACS author client request PPP number: 0 HWTACACS author client request VPDN number: 0...
Page 102: Hwtacacs Nas-Ip
Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters. slot slot-number: Specifies a card by its slot number. The slot-number argument represents the slot number of the card.
Page 103: Hwtacacs Scheme
Views System view Default command level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs.
Page 104: Key (Hwtacacs Scheme View)
Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed. Examples # Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view.
Page 105: Nas-Ip (Hwtacacs Scheme View)
Examples # Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting simple hello # Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.
Page 106: Primary Accounting (Hwtacacs Scheme View)
The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence. Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1.
Page 107: Primary Authentication (Hwtacacs Scheme View)
Examples # Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49. <Sysname> system-view [Sysname] hwtacacs scheme test1 [Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authentication (HWTACACS scheme view) Use primary authentication to specify the primary HWTACACS authentication server.
Page 108: Primary Authorization
Examples # Specify the IP address and port number of the primary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server.
Page 109: Reset Hwtacacs Statistics
Examples # Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) reset hwtacacs statistics Use reset hwtacacs statistics to clear HWTACACS statistics.
Page 110: Retry Stop-Accounting (Hwtacacs Scheme View)
Syntax In standalone mode: reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] In IRF mode: reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name chassis chassis-number slot slot-number ] Views User view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme.
Page 111: Secondary Accounting (Hwtacacs Scheme View)
Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 1 to 300. Examples # Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] retry stop-accounting 50 Related commands •...
Page 112: Secondary Authentication (Hwtacacs Scheme View)
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. Examples # Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10.163.155.12 with TCP port number 49. <Sysname>...
Page 113: Secondary Authorization
Examples # Specify the IP address and port number of the secondary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 with TCP port number 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 Related commands • display hwtacacs •...
Page 114: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 Related commands • display hwtacacs • vpn-instance (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function.
Page 115: Timer Realtime-Accounting (Hwtacacs Scheme View)
Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes. Usage guidelines When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires.
Page 116: Timer Response-Timeout (Hwtacacs Scheme View)
Table 9 Recommended real-time accounting intervals Number of users Real-time accounting interval (in minutes) 1 to 99 100 to 499 500 to 999 1000 or more 15 or more Examples # Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1. <Sysname>...
Page 117: Vpn-Instance (Hwtacacs Scheme View)
Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views HWTACACS scheme view Default command level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
Page 118 Parameters vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified. Examples # Specify VPN instance test for HWTACACS scheme hwt1. <Sysname>...
Page 119: 802.1X Commands
802.1X commands 802.1X commands are supported only on a SAP module that is operating in bridge mode. display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 120 Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet3/0/1 is link-up 802.1X protocol is enabled...
Page 121 Field Description Whether the device sends a trap when detecting that a user Proxy trap checker is disabled is accessing the network through a proxy. Whether the device logs off the user when detecting that the Proxy logoff checker is disabled user is accessing the network through a proxy.
Page 122: Dot1X
Field Description 802.1X guest VLAN configured on the port. NOT Guest VLAN configured is displayed if no guest VLAN is configured. Auth-Fail VLAN configured on the port. NOT configured is Auth-fail VLAN displayed if no Auth-Fail VLAN is configured. 802.1X critical VLAN configured on the port. NOT Critical VLAN configured is displayed if no 802.1X critical VLAN is configured on the port.
Page 123 dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level 2: System level Parameters interface interface-list: Specifies a port list, which can contain multiple ports.
Page 124: Dot1X Authentication-Method
[Sysname] interface gigabitethernet 3/0/7 [Sysname-GigabitEthernet3/0/7] dot1x # Enable 802.1X globally. <Sysname> system-view [Sysname] dot1x Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The network access device performs EAP termination and uses CHAP to communicate with the...
Page 125: Dot1X Auth-Fail Vlan
EAP authentication method as the client. If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS configuration commands." Local authentication supports PAP and CHAP. If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Page 126: Dot1X Critical Vlan
You can configure both an Auth-Fail VLAN and a guest VLAN for a port. Examples # Configure VLAN 3 as the Auth-Fail VLAN for port GigabitEthernet 3/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x auth-fail vlan 3 Related commands •...
Page 127: Dot1X Critical Recovery-Action
dot1x critical recovery-action Use dot1x critical recovery-action to configure the action that a port takes when an active (reachable) RADIUS authentication server is detected for users in the 802.1X critical VLAN. Use undo dot1x critical recovery-action to restore the default. Syntax dot1x critical recovery-action reinitialize undo dot1x critical recovery-action...
Page 128: Dot1X Guest-Vlan
Default The access device supports only the at sign (@) delimiter for 802.1X users. Views System view Default command level 2: System level Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters.
Page 129: Dot1X Handshake
Parameters guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN. The value range is 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide. interface interface-list: Specifies a port list.
Page 130: Dot1X Handshake Secure
Syntax dot1x handshake undo dot1x handshake Default The function is enabled. Views Ethernet Interface view Default command level 2: System level Usage guidelines The 802.1X proxy detection function depends on the online user handshake function. Enable handshake before enabling proxy detection and disable proxy detection before disabling handshake. Hewlett Packard Enterprise recommends that you use the iNode client software to ensure the normal operation of the online user handshake function.
Page 131: Dot1X Mandatory-Domain
<Sysname> system-view [Sysname] interface gigabitethernet 3/0/4 [Sysname-GigabitEthernet3/0/4] dot1x handshake secure Related commands dot1x handshake dot1x mandatory-domain Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port. Use undo dot1x mandatory-domain to remove the mandatory authentication domain. Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain Default...
Page 132: Dot1X Max-User
Total 1 connection(s) matched. Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default. Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number...
Page 133: Dot1X Multicast-Trigger
[Sysname-GigabitEthernet3/0/1] dot1x max-user 32 # Configure GigabitEthernet 3/0/2 through GigabitEthernet 3/0/5 each to support a maximum of 32 concurrent 802.1X users. <Sysname> system-view [Sysname] dot1x max-user 32 interface gigabitethernet 3/0/2 to gigabitethernet 3/0/5 Related commands display dot1x dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication.
Page 134: Dot1X Port-Method
dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control Default The default port authorization state is auto. Views System view, Ethernet interface view Default command level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication.
Page 135 Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies. Views System view, Ethernet interface view Default command level...
Page 136: Dot1X Quiet-Period
dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use undo dot1x quiet-period to disable the timer. Syntax dot1x quiet-period undo dot1x quiet-period...
Page 137: Dot1X Retry
Examples # Enable the 802.1X periodic online user re-authentication function on GigabitEthernet 3/0/1 and set the periodic re-authentication interval to 1800 seconds. <Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x re-authenticate Related commands dot1x timer reauth-period dot1x retry Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.
Page 138: Dot1X Supp-Proxy-Check
dot1x supp-proxy-check Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on the specified ports or all ports. Use undo dot1x supp-proxy-check to disable the function on the specified ports or all ports. Syntax In system view: dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] In Ethernet interface view:...
Page 139: Dot1X Timer
<Sysname> system-view [Sysname] dot1x supp-proxy-check trap [Sysname] interface gigabitethernet 3/0/9 [Sysname-GigabitEthernet3/0/9] dot1x supp-proxy-check trap Related commands display dot1x dot1x timer Use dot1x timer to set 802.1X timers. Use undo dot1x timer to restore the defaults. Syntax dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value } undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout |...
Page 140: Dot1X Unicast-Trigger
• Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client. • Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command.
Page 141: Reset Dot1X Statistics
Examples # Enable the unicast trigger function for interface GigabitEthernet 3/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x unicast-trigger Related commands • display dot1x • dot1x timer tx-period • dot1x retry reset dot1x statistics Use reset dot1x statistics to clear 802.1X statistics. Syntax reset dot1x statistics [ interface interface-list ] Views...
Page 142: Ead Fast Deployment Commands
EAD fast deployment commands EAD fast deployment commands are supported only on a SAP module that is operating in bridge mode. dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses.
Page 143: Dot1X Url
Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440. Usage guidelines EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network.
Page 144 If you configure the dot1x url command multiple times, the last configured URL takes effect. Examples # Configure the redirect URL as http://192.168.0.1. <Sysname> system-view [Sysname] dot1x url http://192.168.0.1 Related commands • display dot1x • dot1x free-ip...
Page 145: Mac Authentication Configuration Commands
MAC authentication configuration commands MAC authentication commands are available only for SAP modules that are operating in bridge mode. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics. Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]...
Page 146 The max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet3/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 1024 Current online user number is 0...
Page 147: Mac-Authentication
Field Description MAC authentication statistics, including the number of successful and Authenticate success: 0, failed: 0 unsuccessful authentication attempts. Maximum number of concurrent online users allowed on the port. Max number of on-line users If MAC authentication is not enabled on the port, the field displays 0. Current online user number Number of online users on the port.
Page 148: Mac-Authentication Domain
and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port. Usage guidelines To use MAC authentication on a port, you must enable the function both globally and on the port. Examples # Enable MAC authentication globally.
Page 149: Mac-Authentication Max-User
Examples # Specify the domain1 domain as the global authentication domain for MAC authentication users. <Sysname> system-view [Sysname] mac-authentication domain domain1 # Specify the aabbcc domain as the authentication domain for MAC authentication users on port GigabitEthernet 3/0/1. [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] mac-authentication domain aabbcc Related commands display mac-authentication...
Page 150: Mac-Authentication User-Name-Format
Default The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds. Views System view Default command level 2: System level Parameters offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle.
Page 151 Parameters fixed: Uses a shared account for all MAC authentication users. account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies. password: Specifies the password for the shared user account: cipher: Sets a ciphertext password.
Page 152: Reset Mac-Authentication Statistics
reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax reset mac-authentication statistics [ interface interface-list ] Views User view Default command level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10>...
Page 153: Portal Configuration Commands
Portal configuration commands Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type { arp | icmp } retransmit number interval interval [ idle-time idletime ] undo access-user detect...
Page 154: Display Portal Acl
[Sysname-GigabitEthernet3/0/1] access-user detect type arp retransmit 3 interval 10 display portal acl Use display portal acl to display the ACLs on a specific interface. Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 155 Port : 40000 Rule 1 Inbound interface : GigabitEthernet3/0/1 Type : static Action : permit Protocol Source: : 0.0.0.0 Mask : 0.0.0.0 Port : 23 : 0000-0000-0000 Interface : any VLAN Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : any Rule 2 Inbound interface : GigabitEthernet3/0/1 Type...
Page 156: Display Portal Connection Statistics
Mask : 0.0.0.0 Author ACL: Number : 3001 Table 12 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound. Type Type of the portal ACL.
Page 157 interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 158 MSG_CUT_L3IF MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 13 Command output Field Description User state statistics Statistics on portal users. State-Name Name of a user state. User-Num Number of users in a specific state. Message statistics Statistics on messages. Msg-Name Message type.
Page 159: Display Portal Free-Rule
Field Description Users-removed message, indicating the users on a Layer 3 interface MSG_CUT_L3IF were removed because they were logged out. MSG_IP_REMOVE User-with-an-IP-removed message. MSG_ALL_REMOVE All-users-removed message. MSG_IFIPADDR_CHANGE Interface IP address change message. MSG_SOCKET_CHANGE Socket change message. MSG_NOTIFY Notification message. MSG_SETPOLICY Set policy message for assigning security ACL.
Page 160: Display Portal Interface
Mask : 0.0.0.0 Port : any Protocol # Display information about portal-free rule 3. <Sysname> display portal free-rule 3 Rule-Number Source: : 222.222.222.222 Mask : 255.255.255.255 Port : 50000 ~ 51000 : 0000-0000-0000 Interface : any Vlan Destination: : 111.111.111.111 Mask : 255.255.255.255 Port...
Page 161 Views Any view Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 162: Display Portal Server
display portal server Use display portal server to display information about a specific portal server or all portal servers. Syntax display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters...
Page 163: Display Portal Server Statistics
Field Description Type of the portal server. Possible values include: • Server Type CMCC—CMCC portal server. • IMC—IMC portal server. Current status of the portal server. Possible values include: • N/A—The server is not referenced on any interface, or the server detection function is not enabled.
Page 164 REQ_CHALLENGE ACK_CHALLENGE REQ_AUTH ACK_AUTH REQ_LOGOUT ACK_LOGOUT AFF_ACK_AUTH NTF_LOGOUT REQ_INFO ACK_INFO NTF_USERDISCOVER NTF_USERIPCHANGE AFF_NTF_USERIPCHANGE ACK_NTF_LOGOUT NTF_HEARTBEAT NTF_USERSYNC ACK_NTF_USERSYNC NTF_CHALLENGE NTF_USER_NOTIFY AFF_NTF_USER_NOTIFY NTF_AUTH ACK_NTF_AUTH REQ_QUERY_STATE ACK_QUERY_STATE RESERVED33 RESERVED35 Table 17 Command output Field Description Interface Interface referencing the portal server. Invalid packets Number of invalid packets.
Page 165: Display Portal Tcp-Cheat Statistics
Field Description Affirmation message the portal server sent to the access device after AFF_ACK_AUTH receiving an authentication acknowledgement message. Forced logout notification message the access device sent to the portal NTF_LOGOUT server. REQ_INFO Information request message. ACK_INFO Information acknowledgment message. User discovery notification message the portal server sent to the access NTF_USERDISCOVER device.
Page 166 Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 167: Display Portal User
Field Description FIN_WAIT_1 Number of connections in FIN_WAIT_1 state. FIN_WAIT_2 Number of connections in FIN_WAIT_2 state. CLOSING Number of connections in CLOSING state. display portal user Use display portal user to display information about portal users on a specific interface or all interfaces.
Page 168: Portal Auth-Network
Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 3.3.3.3 GigabitEthernet3/0/2 Total 2 user(s) matched, 2 listed. Table 19 Command output Field Description Index Index of the portal user. State Current status of the portal user. SubState Current sub-status of the portal user. Authorization ACL of the portal user. User's working mode: •...
Page 169: Portal Auth-Network Destination
mask-length: Length of the subnet mask, in the range of 0 to 32. mask: Subnet mask, in dotted decimal notation. all: Specifies all authentication source subnets. Usage guidelines This command is only applicable for cross-subnet authentication (layer3). The portal authentication source subnet for direct authentication (direct) can be any source IP address, and the portal authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users.
Page 170: Portal Delete-User
You can configure multiple authentication destination subnets by executing the portal auth-network destination command. The system supports up to 16 authentication source subnets and destination subnets. If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect.
Page 171: Portal Domain
Views System view Default command level 2: System level Parameters id-value: Device ID of the device, a case-sensitive string of 1 to 16 characters. This device ID value is carried in the redirection URL to be sent to the clients. Usage guidelines If the type of the portal server specified for Layer 3 portal authentication is CMCC, you must specify the device ID.
Page 172: Portal Free-Rule
Related commands display portal interface portal free-rule Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both. Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules. Syntax portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | mask } | any } [ tcp tcp-port-number [ to tcp-port-number ] | udp udp-port-number [ to udp-port-number ] ] } |...
Page 173: Portal Max-User
Regardless of whether portal authentication is enabled on an interface, you can only add or remove a portal-free rule. You cannot modify it. A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation group.
Page 174: Portal Nas-Id-Profile
Use undo portal nas-id to restore the default. Syntax portal nas-id nas-identifier undo portal nas-id Default The device name specified through the sysname command is used as the NAS ID of a RADIUS request. For information about the sysname command, see Fundamentals Command Reference. Views Interface view, system view Default command level...
Page 175: Portal Nas-Ip
Usage guidelines If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile: •...
Page 176: Portal Nas-Port-Type
Syntax portal nas-port-id nas-port-id-value undo portal nas-port-id Default No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request. Views Interface view Default command level...
Page 177: Portal Redirect-Url
wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.
Page 178 undo portal server server-name [ key | port | server-type | url | vpn-instance ] Default No portal server is configured for Layer 3 portal authentication. Views System view Default command level 2: System level Parameters server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters. ip ip-address: Specifies the IP address of the portal server.
Page 179: Portal Server Method
Examples # Configure portal server pts, setting the IP address to 192.168.0.111, the key to portal in plain text, and the redirection URL to http://192.168.0.113/portal. <Sysname> system-view [Sysname] portal server pts ip 192.168.0.111 key simple portal url http://192.168.0.113/portal Related commands •...
Page 180: Portal Server Server-Detect
portal server server-detect Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes.
Page 181: Portal Server User-Sync
heartbeat packets or authentication packets (such as login requests and logout requests), it re-enables the portal authentication function. • trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS).
Page 182: Reset Portal Connection Statistics
undo portal server server-name user-sync Default The portal user synchronization function is not configured. Views System view Default command level 2: System level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
Page 183: Reset Portal Server Statistics
Views User view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Examples # Clear portal connection statistics on interface GigabitEthernet 3/0/1. <Sysname> reset portal connection statistics interface gigabitethernet 3/0/1 reset portal server statistics Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces.
Page 184: Port Security Configuration Commands
Port security configuration commands The port security commands are available only for SAP modules that are operating in bridge mode. display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views...
Page 185 Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet3/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0 Authorization is ignored GigabitEthernet3/0/2 is link-down Port mode is noRestriction...
Page 186 Field Description Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • Port mode secure. • userLogin. • userLoginSecure. • userLoginSecureExt. • macAddressOrUserLoginSecure. • macAddressOrUserLoginSecureExt. • userLoginWithOUI. Need to know (NTK) mode: • NeedToKnowOnly—Allows only unicast packets with authenticated destination MAC addresses.
Page 187: Display Port-Security Mac-Address Block
• port-security max-mac-count • port-security mac-address security • port-security authorization ignore • port-security oui • port-security trap display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses. Syntax display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 188 --- On slot 2, no mac address found --- --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30. <Sysname> display port-security mac-address block vlan 30 MAC ADDR From Port VLAN ID...
Page 189: Display Port-Security Mac-Address Security
Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses. Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command. Syntax display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]...
Page 190: Port-Security Authorization Ignore
0002-0002-0002 Security GigabitEthernet3/0/1 NOAGED 000d-88f8-0577 Security GigabitEthernet3/0/1 NOAGED 2 mac address(es) found # Display information about secure MAC addresses on port GigabitEthernet 3/0/1. <Sysname> display port-security mac-address security interface gigabitethernet 3/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000d-88f8-0577 Security GigabitEthernet3/0/1...
Page 191: Port-Security Enable
Default command level 2: System level Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it can assign a VLAN. Examples # Configure port GigabitEthernet 3/0/1 to ignore the authorization information from the authentication server.
Page 192: Port-Security Intrusion-Mode
• dot1x port-control • mac-authentication port-security intrusion-mode Use port-security intrusion-mode to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port. Use undo port-security intrusion-mode to restore the default. Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode...
Page 193: Port-Security Mac-Address Dynamic
Syntax port-security mac-address aging-type inactivity undo port-security mac-address aging-type inactivity Default The inactivity aging function is disabled. Views Layer 2 Ethernet interface view Default command level 2: System level Usage guidelines If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address.
Page 194: Port-Security Mac-Address Security
Usage guidelines After you execute this command, you cannot manually configure sticky MAC address, and secure MAC addresses automatically learned by a port in autoLearn mode are also dynamic. All dynamic MAC addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot.
Page 195 Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode. They can survive link down/up events, and once saved, can survive a device reboot. You can bind a MAC address to only one port in a VLAN. When a port is operating in autoLearn mode, you can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure.
Page 196: Port-Security Max-Mac-Count
port-security max-mac-count Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows on a port. Use undo port-security max-mac-count to restore the default setting. Syntax port-security max-mac-count count-value undo port-security max-mac-count Default Port security has no limit on the number of MAC addresses on a port. Views Ethernet interface view Default command level...
Page 197: Port-Security Oui
Default NTK is disabled on a port and all frames are allowed to be sent. Views Ethernet interface view Default command level 2: System level Parameters ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses. ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.
Page 198: Port-Security Port-Mode
index-value: Specifies the OUI index in the range of 1 to 16. Usage guidelines An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from certain devices to pass authentication.
Page 199 Keyword Security mode Description This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. • mac-else-userlogin-s macAddressElseUse A port in this mode performs MAC authentication 30 ecure rLoginSecure seconds after receiving a non-802.1X frame. •...
Page 200: Port-Security Timer Autolearn Aging
When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes. Examples # Enable port security and set port GigabitEthernet 3/0/1 in secure mode. <Sysname>...
Page 201: Port-Security Trap
Use undo port-security timer disableport to restore the default. Syntax port-security timer disableport time-value undo port-security timer disableport Default The silence period is 20 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300.
Page 202 Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.
Page 203: User Profile Configuration Commands
User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression.
Page 204: User-Profile
Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist.
Page 205 # Enter the user profile view of a123. <Sysname> system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] Related commands user-profile enable...
Page 206: Password Control Configuration Commands
Password control configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration information.
Page 207: Display Password-Control Blacklist
# Display the password control configuration for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 24 Command output Field Description Password control...
Page 208: Password
Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 209 Usage guidelines Valid characters for a local user password are from the following four types: • Uppercase letters A to Z. • Lowercase letters a to z. • Digits 0 to 9. • Special characters in Table Table 26 Special characters Character name Symbol Character name...
Page 210: Password-Control { Aging | Composition | History | Length } Enable
password-control { aging | composition | history | length } enable Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function. Use undo password-control { aging | composition | history | length } enable to disable the specified function.
Page 211: Password-Control Aging
Related commands • password-control enable • display password-control password-control aging Use password-control aging to set the password aging time. Use undo password-control aging to restore the default. Syntax password-control aging aging-time undo password-control aging Default A password expires after 90 days globally. The password aging time of a user group equals the global setting.
Page 212: Password-Control Alert-Before-Expire
• user-group password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default A user is notified of pending password expiration 7 days before the user's password expires.
Page 213: Password-Control Complexity
Examples # Set the user authentication timeout time to 40 seconds. <Sysname> system-view [Sysname] password-control authentication-timeout 40 password-control complexity Use password-control complexity to configure the password complexity checking policy. Complexity-incompliant passwords will be refused. Use undo password-control complexity check to remove a password complexity checking item. Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check...
Page 214 characters (see "password"), and each type of characters in the password must contain at least one character. In FIPS mode, the global password composition policy is as follows: A password must contain four types of characters from uppercase letters, lowercase letters, digits and special characters, and each type contains at least one character.
Page 215: Password-Control Enable
password-control enable Use password-control enable to enable the password control feature globally. Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable Default The password control feature is disabled globally. Views System view Default command level 2: System level Usage guidelines...
Page 216: Password-Control History
times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10. 0 means that a user cannot log in after the password expires. Examples # Specify that a user can log in five times within 60 days after the password expires. <Sysname>...
Page 217: Password-Control Login Idle-Time
Views System view, user group view, local user view Default command level 2: System level Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 8 to 32 in FIPS mode. Usage guidelines The setting in system view has global significance and applies to all user groups.
Page 218: Password-Control Login-Attempt
undo password-control login idle-time Default You cannot use a user account to log in to the device if the account has been idle for 90 days. Views System view Default command level 2: System level Parameters idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no restriction for account idle time.
Page 219: Password-Control Password Update Interval
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log in. Usage guidelines If prohibited permanently, a user can log in only after you remove the user from the password control blacklist.
Page 220: Password-Control Super Aging
undo password-control password update interval Default The minimum password update interval is 24 hours. Views System view Default command level 2: System level Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
Page 221: Password-Control Super Composition
Examples # Set the super passwords to expire after 10 days. <Sysname> system-view [Sysname] password-control super aging 10 Related commands password-control aging password-control super composition Use password-control super composition to configure the composition policy for super passwords. Use undo password-control super composition to restore the default. Syntax password-control super composition type-number type-number [ type-length type-length ] undo password-control super composition...
Page 222: Reset Password-Control Blacklist
Use undo password-control super length to restore the default. Syntax password-control super length length undo password-control super length Default The minimum password length for super passwords is the same as the global minimum password length. Views System view Default command level 2: System level Parameters length: Specifies the minimum length for super passwords in characters.
Page 223: Reset Password-Control History-Record
<Sysname> reset password-control blacklist user-name test Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ user-name name | super [ level level ] ] Views User view Default command level...
Page 224: Rsh Configuration Commands
RSH configuration commands Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters.
Page 225 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 4,803 wrshdnt_header.htm 2003-06-23 18:18 178 wrshdnt_filelist.xml 2003-06-22 11:13 156,472 wrshdnt.pdf 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 3,253 INSTALL.LOG 21 files 1,749,848 bytes 2 directories...
Page 226: Public Key Configuration Commands
Public key configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.
Page 227: Display Public-Key Peer
===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2007/10/25 Key name: HOST_KEY Key type: DSA Encryption Key ===================================================== Key code: 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD96E5F061C4F...
Page 228 Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Specifies a peer public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 229: Peer-Public-Key End
1024 10.1.1.1 Table 29 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits. Name Name of the public key. Related commands • public-key peer • public-key peer import sshkey peer-public-key end Use peer-public-key end to return from public key view to system view. Syntax peer-public-key end Views...
Page 230: Public-Key-Code End
Usage guidelines If the peer device is an HPE device, input the key data displayed by the display public-key local public command so that the key is format compliant. Examples # Enter public key code view and input the key.
Page 231: Public-Key Local Create
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] Related commands • public-key peer • public-key-code begin public-key local create Use public-key local create to create local asymmetric key pairs. The created local key pairs are automatically saved, and can survive a reboot. Syntax public-key local create { dsa | rsa } [ name key-name ] Default...
Page 232: Public-Key Local Destroy
NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ # Create a local DSA key pair using the default name. <Sysname>...
Page 233: Public-Key Local Export
Views System view Default command level 2: System level Parameters dsa: Specifies the DSA key pair. rsa: Specifies the RSA key pair. name key-name: Specifies a local key pair by its name. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys default key pair of the specified type.
Page 234: Public-Key Local Export Public Dsa
aes-cbc-128: Specifies the 128-bit AES_CBC encryption algorithm. aes-cbc-192: Specifies the 192-bit AES_CBC encryption algorithm. aes-cbc-256: Specifies the 256-bit AES_CBC encryption algorithm. password: Specifies a password used to encrypt the RSA key pair. Usage guidelines You must specify an encryption algorithm and password to encrypt the specified RSA key pair. The router does not support displaying RSA key pairs in plaintext.
Page 235 Syntax public-key local export public dsa { openssh | ssh2 } [ filename ] Views System view Default command level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see Fundamentals Configuration Guide.
Page 236: Public-Key Local Export Public Rsa
public-key local export public rsa Use public-key local export public rsa without the filename argument to display the host public key of the local RSA key pairs in a specific key format. Use public-key local export public rsa with the filename argument to export the host public key of the local RSA key pairs to a specific file.
Page 237: Public-Key Local Import
public-key local import Use public-key local import to import an RSA key pair in PEM format. Syntax public-key local import rsa name key-name pem Views System view Default command level 2: System level Parameters rsa: Specifies an RSA key pair. name key-name: Specifies a name for the imported RSA key pair.
Page 238: Public-Key Peer
q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----- Please input the password:12345678 [Sysname] # If an RSA key pair with the same name already exists, specify whether to overwrite the existing key pair. Warning: The device already has a key pair with the same name. If you choose to continue, the existing key pair will be overwritten.
Page 239: Public-Key Peer Import Sshkey
• public-key-code end • peer-public-key end • display public-key peer public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname...
Page 240: Pki Configuration Commands
PKI configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name.
Page 241: Ca Identifier
Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. <Sysname> system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.
Page 242: Certificate Request From
Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Specifies an entity name for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1. <Sysname>...
Page 243: Certificate Request Polling
Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used. Views PKI domain view Default command level...
Page 244: Certificate Request Url
Default The polling is executed every 20 minutes for up to 50 times. Views PKI domain view Default command level 2: System level Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request. The value range is 1 to 100.
Page 245: Common-Name
Examples # Specify the URL of the server for certificate request. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll common-name Use common-name to configure the common name of an entity, which can be, for example, the user name.
Page 246: Crl Check
Default command level 2: System level Parameters country-code-str: Specifies a country code for the entity, a case-insensitive string of 2 characters. Examples # Set the country code of an entity to CN. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Use crl check to enable or disable CRL checking.
Page 247: Crl Url
Default The CRL update period depends on the next update field in the CRL file. Views PKI domain view Default command level 2: System level Parameters hours: Specifies the CRL update period in hours, in the range of 1 to 720. Examples # Set the CRL update period to 20 hours.
Page 248: Display Pki Certificate
display pki certificate Use display pki certificate to display the contents or request status of a certificate. Syntax display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 249: Display Pki Certificate Access-Control-Policy
L=City Y CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.crl … … Signature Algorithm: md5WithRSAEncryption A3A5A447 4D08387D …...
Page 250: Display Pki Certificate Attribute-Group
Default command level 1: Monitor level Parameters policy-name: Specifies the name of a certificate attribute-based access control policy, a string of 1 to 16 characters. all: Specifies all certificate attribute-based access control policies. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 251: Display Pki Crl Domain
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about the certificate attribute group mygroup. <Sysname> display pki certificate attribute-group mygroup attribute group name: mygroup attribute 1 subject-name attribute...
Page 252: Fqdn
<Sysname> display pki crl domain 1 Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN O=abc OU=soft CN=A Test Root Last Update: Jan 5 08:44:19 2004 GMT Next Update: Jan 5 21:42:13 2004 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC Revoked Certificates: Serial Number: 05a234448E…...
Page 253: Include Serial-Number
Use undo fqdn to remove the configuration. Syntax fqdn name-str undo fqdn Default No FQDN is specified for an entity. Views PKI entity view Default command level 2: System level Parameters name-str: Specifies a fully qualified domain name (FQDN) for an entity, a case-insensitive string of 1 to 127 characters.
Page 254: Ip (Pki Entity View)
ip (PKI entity view) Use ip to configure the IP address of an entity. Use undo ip to remove the configuration. Syntax ip ip-address undo ip Default No IP address is specified for an entity. Views PKI entity view Default command level 2: System level Parameters ip-address: Specifies the IP address of an entity.
Page 255: Locality
Examples # Specify an LDAP server for PKI domain 1. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] ldap-server ip 169.254.0.30 locality Use locality to configure the geographical locality of an entity, which can be, for example, a city name. Use undo locality to remove the configuration. Syntax locality locality-name undo locality...
Page 256: Organization-Unit
Parameters org-name: Specifies an organization name for an entity, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Configure the name of the organization to which an entity belongs as test-lab. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization test-lab organization-unit Use organization-unit to specify the name of the organization unit to which this entity belongs.
Page 257: Pki Certificate Attribute-Group
Views System view Default command level 2: System level Parameters policy-name: Specifies a certificate attribute-based access control policy by its name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute-based access control policies. Examples # Configure an access control policy named mypolicy and enter its view.
Page 258: Pki Domain
Views System view Default command level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. Examples # Delete the local certificate for PKI domain cer.
Page 259: Pki Import-Certificate
Syntax pki entity entity-name undo pki entity entity-name Default No entity exists. Views System view Default command level 2: System level Parameters entity-name: Specifies a PKI entity name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for convenience of reference by other commands.
Page 260: Pki Request-Certificate Domain
Usage guidelines In FIPS mode, MD5 certificates cannot be imported. Examples # Import the CA certificate for PKI domain cer in the format of PEM. <Sysname> system-view [Sysname] pki import-certificate ca domain cer pem Related commands pki domain pki request-certificate domain Use pki request-certificate domain to request a local certificate from a CA through SCEP.
Page 261: Pki Retrieval-Certificate
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c -----END CERTIFICATE REQUEST----- Related commands pki domain pki retrieval-certificate Use pki retrieval-certificate to obtain a certificate from the server for certificate distribution. Syntax pki retrieval-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Obtains the CA certificate.
Page 262: Pki Validate-Certificate
<Sysname> system-view [Sysname] pki retrieval-crl domain 1 Related commands pki domain pki validate-certificate Use pki validate-certificate to verify the validity of a certificate. Syntax pki validate-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Verifies the CA certificate.
Page 263: Rule (Pki Cert Acp View)
Default command level 2: System level Parameters md5: Uses an MD5 fingerprint. sha1: Uses a SHA1 fingerprint. string: Specifies the fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal. Examples # Configure an MD5 fingerprint for verifying the validity of the CA root certificate.
Page 264: State
Examples # Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in the certificate attribute group mygroup. <Sysname> system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup state Use state to specify the name of the state or province where an entity resides. Use undo state to remove the configuration.
Page 265: Ipsec Configuration Commands
IPsec configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Page 266: Cryptoengine Enable
Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters name: Specifies the IPsec connection name, a case-insensitive string of 1 to 32 characters. Example # Set IPsec connection name to CenterToA.
Page 267 Syntax display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all IPsec policies. name: Displays detailed information about a specific IPsec policy or IPsec policy group.
Page 268 Field Description Negotiation mode of the IPsec policy: • manual—Manual mode. • Mode isakmp—IKE negotiation mode. • template—IPsec policy template mode. • gdoi—GDOI mode. ACL referenced by the IPsec policy. Mapped Template Referenced IPsec policy template. Local Address IP address of the local end. Remote Address IP address of the remote end.
Page 269 encapsulation mode: tunnel security data flow : 3002 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.2 transform-set name: prop1 inbound AH setting: AH spi: 12345 (0x3039) AH string-key: AH authentication hex key : ****** inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ******...
Page 270 ESP encryption hex key: ****** ESP authentication hex key: ****** outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** =========================================== IPsec Policy Group: "gdoi-map"...
Page 271: Display Ipsec Policy-Template
Field Description tunnel remote address Remote IP address of the tunnel. transform-set name Transform set referenced by the IPsec policy. policy enable Whether the IPsec policy is enabled or not. tfc enable Whether TFC padding is enabled. AH/ESP settings in the inbound/outbound direction, including the inbound/outbound AH/ESP setting SPI and keys.
Page 272 <Sysname> display ipsec policy-template brief Policy-template-Name Remote-Address ------------------------------------------------------ test-tplt300 2200 Table 37 Command output Field Description Name and sequence number of the IPsec policy template separated by Policy-template-Name hyphen. ACL referenced by the IPsec policy template. Remote Address Remote IP address. # Display detailed information about all IPsec policy templates.
Page 273: Display Ipsec Profile
Field Description IPsec sa local duration(time based) Time-based lifetime of the IPsec SAs at the local end. IPsec sa local duration(traffic Traffic-based lifetime of the IPsec SAs at the local end. based) Related commands ipsec policy-template display ipsec profile Use display ipsec profile to display the configuration information of IPsec profiles. Syntax display ipsec profile [ name profile-name ] [ | { begin | exclude | include } regular-expression ] Views...
Page 274 ike-peer name: peer1 PFS: N transform-set name: prop1 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: False =========================================== IPsec profile: "btoa" Using interface: Tunnel1 =========================================== ----------------------------- IPsec profile name: "btoa" mode: tunnel ----------------------------- encapsulation mode: tunnel...
Page 275: Display Ipsec Sa
Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs. Syntax display ipsec sa [ brief | policy policy-name [ seq-number ] | remote [ ipv6 ] ip-address ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 276 Table 40 Command output Field Description Local IP address. For SAs generated through GDOI policies or SAs generated Src Address through policies that are applied to IPv6 routing protocols, "—" is displayed for this field. Remote IP address. For SAs generated through GDOI policies or SAs Dst Address generated through policies that are applied to IPv6 routing protocols, "—"...
Page 277 [outbound ESP SAs] spi: 0x2fc8fd45(801701189) transform: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 2 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Enabled anti-replay window size(counter based): 32 udp encapsulation used for nat traversal: N =============================== Protocol: OSPFv3 =============================== -----------------------------...
Page 278 PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 0.0.0.0 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP current outbound spi: 0x2FC8FD45(801701189) [inbound ESP SAs] spi: 0xD47B1AC1(3564837569) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 5 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686...
Page 279 Table 41 Command output Field Description Interface Interface referencing the IPsec policy. path MTU Maximum IP packet length supported by the interface. Protocol Name of the protocol to which the IPsec policy is applied. IPsec policy name Name of IPsec policy used. sequence number Sequence number of the IPsec policy.
Page 280: Display Ipsec Statistics
Related commands • reset ipsec sa • ipsec sa global-duration display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 281: Display Ipsec Transform-Set
Connection ID : 3 ------------------------------------------------ the security packet statistics: input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: not enough memory: 0 queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0...
Page 282 Syntax display ipsec transform-set [ transform-set-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters transform-set-name: Specifies the name of an IPsec transform set, a string of 1 to 32 characters. If you do not specify an IPsec transform set, the command displays information about all IPsec transform sets.
Page 283: Display Ipsec Tunnel
Field Description AH protocol Authentication algorithm used by AH. ESP protocol Authentication algorithm and encryption algorithm used by ESP. Related commands ipsec transform-set display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 284: Encapsulation-Mode
outbound: 12345 (0x3039) [ESP] tunnel: flow: # Display information about IPsec tunnels in aggregation mode. <Sysname> display ipsec tunnel total tunnel: 2 ------------------------------------------------ connection id: 4 perfect forward secrecy: SA's SPI: inbound : 2454606993 (0x924e5491) [ESP] outbound : 675720232 (0x2846ac28) [ESP] tunnel : local address: 44.44.44.44...
Page 285: Esp Authentication-Algorithm
Parameters transport: Uses transport mode. tunnel: Uses tunnel mode. Usage guidelines IPsec for IPv6 routing protocols supports only the transport mode. When IPsec uses IKE to set up the IPsec tunnel, this command can be used only in IPsec transform set view.
Page 286: Esp Encryption-Algorithm
Examples # Configure IPsec transform set prop1 to use ESP and specify SHA-1 as the authentication algorithm for ESP. <Sysname> system-view [Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] transform esp [Sysname-ipsec-transform-set-prop1] esp authentication-algorithm sha1 Related commands • ipsec transform-set • esp encryption-algorithm esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP.
Page 287: Ike-Peer (Ipsec Policy View/Ipsec Policy Template View/Ipsec Profile View)
[Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] transform esp [Sysname-ipsec-transform-set-prop1] esp encryption-algorithm 3des Related commands • display ipsec transform-set • esp authentication-algorithm ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view) Use ike-peer to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured through IKE negotiation.
Page 288: Ipsec Anti-Replay Window
undo ipsec anti-replay check Default IPsec anti-replay checking is enabled. Views System view Default command level 2: System level Examples # Enable IPsec anti-replay checking. <Sysname> system-view [Sysname] ipsec anti-replay check ipsec anti-replay window Use ipsec anti-replay window to set the size of the anti-replay window. Use undo ipsec anti-replay window to restore the default.
Page 289: Ipsec Fragmentation Before-Encryption
Default ACL checking of de-encapsulated IPsec packets is enabled. Views System view Default command level 2: System level Examples # Enable ACL checking of de-encapsulated IPsec packets. <Sysname> system-view [Sysname] ipsec decrypt check ipsec fragmentation before-encryption Use ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation before encryption.
Page 290: Ipsec Invalid-Spi-Recovery Enable
[Sysname] ipsec fragmentation before-encryption enable ipsec invalid-spi-recovery enable Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ipsec invalid-spi-recovery enable to restore the default. Syntax ipsec invalid-spi-recovery enable undo ipsec invalid-spi-recovery enable Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs. Views System view Default command level...
Page 291: Ipsec Policy (System View)
With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to protect certain data flows. For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers.
Page 292: Ipsec Policy Isakmp Template
In a group encrypted transport VPN, you must configure IPsec GDOI policies on the group members. For more information about group encrypted transport VPN, see Security Configuration Guide. Examples # Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation.
Page 293: Ipsec Policy-Template
Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1. <Sysname> system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 ipsec policy-template Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view.
Page 294: Ipsec Profile (Tunnel Interface View)
Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists. Views System view Default command level 2: System level Parameters profile-name: Specifies the name for the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces.
Page 295: Ipsec Sa Global-Duration
To apply another IPsec profile to the tunnel interface, remove the original application first. An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface simultaneously. Examples # Apply IPsec profile vtiprofile to the IPsec tunnel interface. <Sysname>...
Page 296: Ipsec Transform-Set
The SA lifetime applies to only IKE negotiated SAs. It is not effective on manually configured SAs. Examples # Set the time-based global SA lifetime to 7200 seconds (2 hours). <Sysname> system-view [Sysname] ipsec sa global-duration time-based 7200 # Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes). [Sysname] ipsec sa global-duration traffic-based 10240 Related commands •...
Page 297: Policy Enable
undo pfs Default The PFS feature is not used for negotiation. Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters dh-group1: Uses 768-bit Diffie-Hellman group. This keyword is not available in FIPS mode. dh-group2: Uses 1024-bit Diffie-Hellman group.
Page 298: Qos Pre-Classify
Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies. If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation. Examples # Enable the IPsec policy with the name policy1 and sequence number 100. <Sysname>...
Page 299: Reset Ipsec Sa
reset ipsec sa Use reset ipsec sa to clear IPsec SAs. Syntax reset ipsec sa [ parameters [ ipv6 ] dest-address protocol spi | policy policy-name [ seq-number ] | remote [ ipv6 ] ip-address ] Views User view Default command level 2: System level Parameters parameters: Specifies IPsec SAs that use the specified destination address, security protocol, and...
Page 300: Reset Ipsec Statistics
# Clear all IPsec SAs of IPsec profile policy1. <Sysname> reset ipsec sa policy policy1 Related commands display ipsec sa reset ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics. Syntax reset ipsec statistics Views User view Default command level 1: Monitor level Examples # Clear IPsec packet statistics.
Page 301 Usage guidelines IPsec RRI operates in static mode or dynamic mode: • Static IPsec RRI creates one static route for each destination address permitted by the ACL that the IPsec policy references. Static IPsec RRI creates static routes immediately after you configure IPsec RRI for an IPsec policy and apply the IPsec policy.
Page 302 Examples # Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network 3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop. <Sysname> system-view [Sysname] ike peer 1 [Sysname-ike-peer-1] remote-address 1.1.1.2 [Sysname-ike-peer-1] quit [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0...
Page 303: Reverse-Route Preference
# Configure dynamic IPsec RRI to create static routes based on IPsec SAs. Take 1.1.1.3 as the next hop. [Sysname] ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 [Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. The expected route appears in the routing table after the IPsec SA negotiation succeeds.
Page 304: Reverse-Route Tag
When you change the route preference, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new preference only to subsequent static routes. It does not delete or modify static routes it has created. Examples # Set the preference to 100 for static routes populated by IPsec RRI.
Page 305: Sa Authentication-Hex
sa authentication-hex Use sa authentication-hex to configure an authentication key for an SA. Use undo sa authentication-hex to remove the configuration. Syntax sa authentication-hex { inbound | outbound } { ah | esp } [ cipher | simple ] hex-key undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view...
Page 306: Sa Duration
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple aabbccddeeff001100aabbccddeeff00 Related commands ipsec policy (system view) sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.
Page 307: Sa Encryption-Hex
[Sysname-ipsec-profile-profile1] sa duration time-based 7200 # Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes). <Sysname> system-view [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 Related commands • ipsec sa global-duration • ipsec policy (system view) •...
Page 308: Sa Spi
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel. Examples # Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
Page 309: Sa String-Key
connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. Examples # Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.
Page 310: Security Acl
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA. Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.
Page 311: Transform
aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used. This protection mode is not available for IPv6 data flow. Usage guidelines With an IKE-dependent IPsec policy configured, data flows can be protected in two modes: •...
Page 312: Transform-Set
Default The ESP protocol is used. Views IPsec transform set view Default command level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol. Examples # Configure IPsec transform set prop1 to use AH.
Page 313: Tunnel Local
A manual IPsec policy can reference only one IPsec transform set. To replace a referenced IPsec transform set, use the undo transform-set command to remove the original transform set binding and then use the transform-set command to reconfigure one. An IKE negotiated IPsec policy can reference up to six IPsec transform sets. The IKE negotiation process will search for and use the exactly matched transform set.
Page 314: Tunnel Remote
The local address, if not configured, will be the address of the interface to which the IPsec policy is applied. Examples # Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1. <Sysname> system-view [Sysname] interface loopback 0 [Sysname-LoopBack0] ip address 10.0.0.1 32 [Sysname-LoopBack0] quit [Sysname] ipsec policy policy1 100 manual...
Page 315: Ike Configuration Commands
IKE configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Page 316: Certificate Domain
Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method. <Sysname> system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] authentication-method pre-share Related commands •...
Page 317: Display Ike Dpd
Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, group2 (1024-bit Diffie-Hellman group) is used. In non-FIPS mode, group1 (768-bit Diffie-Hellman group) is used. Views IKE proposal view Default command level 2: System level...
Page 318: Display Ike Peer
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays information about all DPD detectors. Examples # Display information about all DPD detectors.
Page 319: Display Ike Proposal
Examples # Display information about all IKE peers. <Sysname> display ike peer --------------------------- IKE Peer: rtb4tunn exchange mode: main on phase 1 pre-shared-key ****** peer id type: ip peer ip address: 44.44.44.55 local ip address: peer name: nat traversal: disable dpd: dpd1 --------------------------- Table 47 Command output...
Page 320: Display Ike Sa
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines This command displays the configuration information of all IKE proposals in the descending order of proposal priorities.
Page 321 Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range of 1 to 2000000000. remote: Displays detailed information about IKE SAs with a specific remote address. ipv6: Specifies an IPv6 address. ip-address: Specifies the remote address.
Page 322 Field Description The phase the SA belongs to: • Phase 1—The phase for establishing the ISAKMP SA. phase • Phase 2—The phase for negotiating the security service. IPsec SAs are established in this phase. Interpretation domain to which the SA belongs: •...
Page 323 remote ip: 4.4.4.5 connection id: 2 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82480 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the remote address of 4.4.4.5. <Sysname>...
Page 324: Dpd
Field Description remote id Identifier of the remote security gateway. local ip IP address of the local gateway. remote ip IP address of the remote gateway. connection id Identifier of the IKE SA and IPsec SA. authentication-method Authentication method used by the IKE proposal. authentication-algorithm Authentication algorithm used by the IKE proposal.
Page 325: Encryption-Algorithm
encryption-algorithm Use encryption-algorithm to specify an encryption algorithm for an IKE proposal. Use undo encryption-algorithm to restore the default. Syntax encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc } undo encryption-algorithm Default In FIPS mode, an IKE proposal uses the 128-bit AES-CBC encryption algorithm in CBC mode. In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.
Page 326: Id-Type
Views IKE peer view Default command level 2: System level Parameters aggressive: Specifies the aggressive mode. This keyword is not available in FIPS mode. main: Specifies the main mode. Usage guidelines When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, Hewlett Packard Enterprise recommends setting the IKE negotiation mode to aggressive at the local end.
Page 327: Ike Dpd
If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway, for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for the local security gateway, for example, test@foo.bar.com. Examples # Use the ID type of name during IKE negotiation.
Page 328: Ike Local-Name
<Sysname> system-view [Sysname] ike dpd dpd2 Related commands • display ike dpd • interval-time • time-out ike local-name Use ike local-name to configure a name for the local security gateway. Use undo ike local-name to restore the default. Syntax ike local-name name undo ike local-name Default The device name is used as the name of the local security gateway.
Page 329: Ike Next-Payload Check Disabled
ike next-payload check disabled Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero. Use undo ike next-payload check disabled to restore the default.
Page 330: Ike Sa Keepalive-Timer Interval
Use undo ike proposal to delete an IKE proposal. Syntax ike proposal proposal-number undo ike proposal proposal-number Views System view Default command level 2: System level Parameters proposal-number: Specifies the IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.
Page 331: Ike Sa Keepalive-Timer Timeout
Views System view Default command level 2: System level Parameters seconds: Specifies the transmission interval of ISAKMP SA keepalives in seconds, in the range of 20 to 28,800. Usage guidelines The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end.
Page 332: Ike Sa Nat-Keepalive-Timer Interval
Related commands ike sa keepalive-timer interval ike sa nat-keepalive-timer interval Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval. Use undo ike sa nat-keepalive-timer interval to disable the function. Syntax ike sa nat-keepalive-timer interval seconds undo ike sa nat-keepalive-timer interval Default The NAT keepalive interval is 20 seconds.
Page 333: Local
Examples # Set the DPD interval to 1 second for dpd2. <Sysname> system-view [Sysname] ike dpd dpd2 [Sysname-ike-dpd-dpd2] interval-time 1 local Use local to set the subnet type of the local security gateway for IKE negotiation. Use undo local to restore the default. Syntax local { multi-subnet | single-subnet } undo local...
Page 334: Local-Name
Views IKE peer view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. ip-address: Specifies the IP address of the local security gateway to be used in IKE negotiation. Examples # Set the IP address of the local security gateway to 1.1.1.1. <Sysname>...
Page 335: Nat Traversal
Related commands • remote-name • id-type nat traversal Use nat traversal to enable the NAT traversal function of IKE/IPsec. Use undo nat traversal to disable the NAT traversal function of IKE/IPsec. Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level...
Page 336: Pre-Shared-Key
Examples # Set the subnet type of the peer security gateway to multiple. <Sysname> system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] peer multi-subnet pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax In FIPS mode: pre-shared-key [ [ cipher | simple ] key ]...
Page 337: Remote-Address
undo proposal [ proposal-number ] Default An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view. Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Specifies the sequence number of the IKE proposal for the IKE peer to reference, in the range of 1 to 65535.
Page 338: Remote-Name
dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name. low-ip-address: Specifies the IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses.
Page 339: Reset Ike Sa
Parameters name: Specifies the name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator.
Page 340: Sa Duration
flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT RK--REKEY <Sysname> reset ike sa 2 <Sysname> display ike sa total phase-1 SAs: connection-id peer flag phase ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO——TIMEOUT RK--REKEY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.
Page 341 Use undo time-out to restore the default. Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: Specifies the DPD packet retransmission interval in seconds, in the range of 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds.
Page 342: Ssh Configuration Commands
SSH configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 343: Display Ssh User-Information
Field Description SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. SSH Authentication retries Maximum number of SSH authentication attempts.
Page 344 Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users.
Page 345: Sftp Server Enable
sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled. Views System view Default command level 3: Manage level...
Page 346: Ssh Server Authentication-Retries
<Sysname> system-view [Sysname] sftp server idle-timeout 500 Related commands display ssh server ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of connection authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries times undo ssh server authentication-retries...
Page 347: Ssh Server Compatible-Ssh1X Enable
Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The authentication timeout timer is 60 seconds. Views System view Default command level 3: Manage level Parameters time-out-value: Specifies an authentication timeout timer in seconds, in the range of 1 to 120. Usage guidelines If a user does not finish the authentication when the timer expires, the connection cannot be established.
Page 348: Ssh Server Enable
[Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server. Use undo ssh server enable to disable the SSH server function. Syntax ssh server enable undo ssh server enable...
Page 349: Ssh User
Usage guidelines This command is only available to SSH users that use SSH1 client software. Updating the RSA server key periodically can prevent malicious hacking of the key and enhance security of the SSH connections. The system does not update any DSA key pair periodically. Examples # Set the RSA server key pair update interval to 3 hours.
Page 350 method is supported only when the router acts as an SSH server and uses the HWTACACS server as the remote authentication server. • any: Specifies either password authentication, publickey authentication, or keyboard-interactive authentication. • password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.
Page 351: Ssh Client Configuration Commands
SSH client configuration commands Use bye to terminate the connection with the SFTP server and return to user view. Syntax Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server.
Page 352: Cdup
cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Default command level 3: Manage level Examples # Return to the upper-level directory from the current working directory /new1. sftp-client> cdup Current Directory is: delete Use delete to delete files from a server.
Page 353: Display Sftp Client Source
Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the names of the files and sub-directories under the specified directory. -l: Displays detailed information about the files and sub-directories under the specified directory in the form of a list.
Page 354: Display Ssh Client Source
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If neither source IP address nor source interface is specified for the SFTP client, the system displays the message "Neither source IP address nor source interface was specified for the SFTP client."...
Page 355: Display Ssh Server-Info
display ssh server-info Use display ssh server-info on a client to display mappings between SSH servers and their host public keys on an SSH client. Syntax display ssh server-info [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 356: Get
Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server. sftp-client> exit Connection closed. <Sysname> Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views...
Page 357 Parameters all: Displays all commands. command-name: Specifies a command. Usage guidelines If you do not specify any argument or keyword, the command displays all commands in a list. Examples # Display the help information of the get command. sftp-client> help get get remote-path [local-path] Download file.Default local-path is the same as remote-path...
Page 358: Mkdir
mkdir Use mkdir to create a directory on the SFTP server. Syntax mkdir remote-path Views SFTP client view Default command level 3: Manage level Parameters remote-path: Specifies a directory on the SFTP server. Examples # Create a directory named test on the SFTP server. sftp-client>...
Page 359: Quit
Default command level 3: Manage level Examples # Display the current working directory of the SFTP server. sftp-client> pwd quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Default command level 3: Manage level Usage guidelines...
Page 360: Rename
The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time.Please wait... File successfully Removed rename Use rename to change the name of a file or directory on an SFTP server. Syntax rename oldname newname Views...
Page 361: Scp
Use scp to transfer files with an SCP server. Syntax In non-FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *...
Page 362: Sftp
• des: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode. prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode. •...
Page 363 Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode:...
Page 364: Sftp Client Ipv6 Source
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.
Page 365: Sftp Client Source
undo sftp client ipv6 source Default An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server. Views System view Default command level 3: Manage level Parameters interface interface-type interface-number: Specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.
Page 366: Sftp Ipv6
Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, Hewlett Packard Enterprise recommends that you specify a loopback interface as the source interface. Examples # Specify the source IP address of the SFTP client as 192.168.0.1.
Page 367 prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. • 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. • aes128: Specifies the encryption algorithm aes128-cbc. • aes256: Specifies the encryption algorithm aes256-cbc. This keyword is not available in non-FIPS mode.
Page 368: Ssh Client Authentication Server
• The preferred server-to-client encryption algorithm is aes128. • The preferred client-to-server HMAC algorithm is md5. • The preferred server-to-client HMAC algorithm is sha1-96. <Sysname> sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username: ssh client authentication server Use ssh client authentication server on the client to configure the host public key of the specified server so that the client can determine whether the server is trustworthy.
Page 369: Ssh Client Ipv6 Source
Syntax ssh client first-time enable undo ssh client first-time Default The function is enabled. Views System view Default command level 2: System level Usage guidelines Without first-time authentication, a client not configured with the server's host public key does not access the server.
Page 370: Ssh Client Source
Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, Hewlett Packard Enterprise recommends that you specify a loopback interface as the source interface. Examples # Specify the source IPv6 address as 2:2::2:2 for the Stelnet client.
Page 371 Syntax In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode:...
Page 372: Ssh2 Ipv6
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not available in FIPS mode. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not available in FIPS mode. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm.
Page 373 dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: ssh2 ipv6 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * Views...
Page 374 prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96. Usage guidelines When the client's authentication method is publickey, the client must get the local private key for digital signature.
Page 375: Firewall Configuration Commands
Firewall configuration commands Packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 376: Display Firewall-Statistics
Field Description Indicates that an IPv6 ACL is configured in the outbound Out-bound Policy direction of the interface. acl6 IPv6 ACL number. Indicates the packets permitted by IPv6 ACL rules: the 0 packets, 0 bytes, 0% permitted number of packets and bytes, and the percentage of the permitted to the total.
Page 377: Firewall Default
<Sysname> display firewall-statistics all firewall default Use firewall default to specify the default firewall filtering action of the IPv4 firewall. Syntax Standalone mode: firewall default { deny | permit } { all | slot slot-number } IRF mode: firewall default { deny | permit } { all | chassis chassis-number slot slot-number } Default The default filtering action of the IPv4 firewall is permitting packets to pass (permit).
Page 378: Firewall Ipv6 Default
Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Parameters all: Specifies all interface cards. slot slot-number: Specifies the interface card in the specified slot. (In standalone mode.) chassis chassis-number slot slot-number: Specifies an interface card in an IRF member device. The chassis-number argument represents the IRF member ID of the device.
Page 379: Firewall Packet-Filter
undo firewall ipv6 enable Default The IPv6 firewall function is disabled. Views System view Default command level 2: System level Examples # Enable the IPv6 firewall function. <Sysname> system-view [Sysname] firewall ipv6 enable firewall packet-filter Use firewall packet-filter to configure IPv4 packet filtering on the interface. Use undo firewall packet-filter to cancel the configuration.
Page 380: Firewall Packet-Filter Ipv6
firewall packet-filter ipv6 Use firewall packet-filter ipv6 to configure IPv6 packet filtering on the interface. Use undo firewall packet-filter ipv6 to remove the IPv6 packet filtering setting on the interface. Syntax firewall packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound } undo firewall packet-filter ipv6 [ { acl6-number | name acl6-name } ] { inbound | outbound } Default IPv6 packets are not filtered on the interface.
Page 381: Reset Firewall-Statistics
interface interface-type interface-number: Clears the packet filtering statistics on the specified interface of the IPv6 firewall. Examples # Clear the packet filtering statistics on GigabitEthernet 3/0/1 of the IPv6 firewall. <Sysname> reset firewall ipv6 statistics interface gigabitethernet 3/0/1 Related commands display firewall ipv6 statistics reset firewall-statistics Use reset firewall-statistics to clear the packet filtering statistics of the IPv4 firewall.
Page 382: Display Aspf All
Usage guidelines A defined ASPF policy can be applied through its policy number. Examples # Create an ASPF policy and enter the corresponding ASPF policy view. <Sysname> system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] display aspf all Use display aspf all to view information about all ASPF policies. Syntax display aspf all [ | { begin | exclude | include } regular-expression ] Views...
Page 383: Display Aspf Interface
Field Description icmp-error drop Drop ICMP error messages. tcp syn-check Drop any non-SYN packet that is the first packet over a TCP connection. undo icmp-error drop Do not drop ICMP error messages. Do not drop a non-SYN packet that is the first packet over a TCP undo tcp syn-check connection.
Page 384: Display Aspf Policy
display aspf policy Use display aspf policy to view information about an ASPF policy. Syntax display aspf policy aspf-policy-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99.
Page 385: Firewall Aspf
Default command level 1: Monitor level Parameters application-name: Name of the application to be used for port mapping. Available applications include FTP, H323, HTTP, HTTPS, IKE, RTSP, SMTP, SSH, and VAM. port port-number: Specifies to display port mapping information on the specified port. The port number is in the range of 0 to 65535.
Page 386: Icmp-Error Drop
Syntax firewall aspf aspf-policy-number { inbound | outbound } undo firewall aspf aspf-policy-number { inbound | outbound } Default No ASPF policy is applied on the interface. Views Interface view Default command level 2: System level Parameters aspf-policy-number: Specifies the number of an ASPF policy, in the range of 1 to 99. inbound: Applies ASPF policy to inbound packets.
Page 387: Port-Mapping
port-mapping Use port-mapping to map a port to an application layer protocol. Use undo port-mapping to remove a port mapping entry. Syntax port-mapping application-name port port-number [ acl acl-number ] undo port-mapping [ application-name port port-number [ acl acl-number ] ] Default There is no mapping between the port and the application layer.
Page 388 Examples # Configure ASPF policy 1 to drop any non-SYN packet which is the first packet over a TCP connection. <Sysname> system-view [Sysname] aspf-policy 1 [Sysname-aspf-policy-1] tcp syn-check Related commands aspf-policy...
Page 389: Alg Configuration Commands
ALG configuration commands Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled for all protocols.
Page 390: Session Management Commands
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols vary with device models.
Page 391: Display Session Aging-Time
Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 392: Display Session Hardware
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 393: Display Session Relation-Table
Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument specifies the ID of the IRF member device.
Page 394: Display Session Statistics
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 395 display session statistics [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides.
Page 396: Display Session Table
Dropped TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 byte(s) Dropped ICMP: 0 packet(s) 0 byte(s) Dropped RAWIP: 0 packet(s) 0 byte(s) Table 63 Command output Field Description Current session(s) Total number of sessions. Current TCP session(s) Number of TCP sessions. Half-Open Number of TCP sessions in the half-open state.
Page 397 Views Any view Default command level 1: Monitor level Parameters slot slot-number: Specifies a card by its slot number. The slot-number argument represents the number of the slot where the card resides. (In standalone mode) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument specifies the ID of the IRF member device.
Page 398 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 192.168.1.255/137 Dest IP/Port : 192.168.1.19/137 VPN-Instance/VLAN ID/VLL ID: Pro: UDP(17) App: NBT-name State: UDP-OPEN Start time: 2009-03-17 10:39:43 TTL: 2s Root Zone(in): Management Zone(out): Local Received packet(s)(Init): 6 packet(s) 468 byte(s) Received packet(s)(Reply): 0 packet(s) 0 byte(s) Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port...
Page 399: Reset Session
Field Description Session status. Possible values are: • Accelerate. • SYN. • TCP-EST. • FIN. • State UDP-OPEN. • UDP-READY. • ICMP-OPEN. • ICMP-CLOSED. • RAWIP-OPEN. • RAWIP-READY. Start Time Session establishment time. Remaining lifetime of the session, in seconds. Zone(in) Security zone (in).
Page 400: Reset Session Statistics
source-ip source-ip: Clears the sessions with the specified source IP address of the initiator. destination-ip destination-ip: Clears the sessions with the specified destination IP address of the initiator. protocol-type { icmp | raw-ip | tcp | udp }: Clears the sessions of the specified protocol type. The protocol types include ICMP, Raw IP, TCP, and UDP.
Page 401: Session Aging-Time
<Sysname> reset session statistics session aging-time Use session aging-time to set the aging timer for sessions of a specified protocol that are in a specified state. Use undo session aging-time to restore the default. If no keyword is specified, the command restores the session aging timers for all protocol states to the defaults.
Page 402: Session Checksum
• TCP ESTABLISHED state: 3600 seconds. • UDP OPEN state: 30 seconds. • UDP READY state: 60 seconds. To display the session aging timers in different protocol states, use the display session aging-time command. Examples # Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds. <Sysname>...
Page 403: Session Log Bytes-Active
Default The session aging time is not shortened. Views System view Default command level 2: System level Parameters shorten-time: Specifies the time value to shorten the session aging time. The value range is 5 to 100000 seconds. threshold-high-value: Specifies the upper threshold for the session ratio. The value range is 1 to 100 percent.
Page 404: Session Log Enable
Parameters bytes-value: Byte count threshold for session logging, in the range of 1 to 1000 megabytes. Examples # Set the byte count threshold for session logging to 10 megabytes. <Sysname> system-view [Sysname] session log byte-active 10 session log enable Use session log enable to enable the session logging function. Use undo session log enable to disable the session logging function.
Page 405: Session Log Packets-Active
session log packets-active Use session log packets-active to set the packet count threshold for session logging. Use undo session log packets-active to restore the default. Syntax session log packets-active packets-value undo session log packets-active Default The system does not output session logs based on the packet count threshold. Views System view Default command level...
Page 406: Session Max-Entries
session max-entries Use session max-entries to set the maximum number of sessions. Use undo session max-entries to cancel the upper limit. Syntax In standalone mode: session max-entries max-entries slot slot-number undo session max-entries [ max-entries ] slot slot-number In IRF mode: session max-entries max-entries chassis chassis-number slot slot-number undo session max-entries [ max-entries ] chassis chassis-number slot slot-number Default...
Page 407 Default No persistent session rule is specified. Views System view Default command level 2: System level Parameters acl-number: Specifies an ACL number in the range of 2000 to 3999. aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value range for the time-value argument is 0 to 360 and defaults to 24.
Page 408: Connection Limit Configuration Commands
Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level...
Page 409: Display Connection-Limit Policy
Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy. After applying a connection limit policy in system view, you cannot modify, add, or remove connection limit rules in the policy.
Page 410: Limit
Field Description limit xxx Rule in the policy. For more information, see the limit command. Related commands limit limit Use limit to configure an IP address-based connection limit policy rule. Within a connection limit policy, the criteria of each rule must be unique. Use undo limit to remove a connection limit policy rule.
Page 411 per-source-destination: Limits connections by source-destination IP address pair. Usage guidelines The connection limit rules become invalid when the VPN with which the rules are associated are removed. The connection limit rules in a policy are matched in ascending order of rule ID. Take the match order into consideration when assigning the rules IDs.
Page 412: Web Filtering Configuration Commands
Web filtering configuration commands display firewall http activex-blocking Use display firewall http activex-blocking to display information about ActiveX blocking. Syntax display firewall http activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 413: Display Firewall Http Java-Blocking
Table 66 Command output Field Description Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. <Sysname> display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered.
Page 414: Display Firewall Http Url-Filter Host
# Display Java blocking information for a specific suffix keyword. <Sysname> display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords. <Sysname> display firewall http java-blocking all Match-Times Keywords ----------------------------------------------...
Page 415: Display Firewall Http Url-Filter Parameter
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays brief information about URL address filtering.
Page 416 Syntax display firewall http url-filter parameter [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all filtering keywords. item keywords: Specifies a filtering keyword.
Page 417: Firewall Http Activex-Blocking Acl
qqqqq Table 70 Command output Field Description Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword. # Display detailed information about URL parameter filtering. <Sysname> display firewall http url-filter parameter verbose URL-filter parameter is enabled. There are 10 packet(s) being filtered.
Page 418: Firewall Http Activex-Blocking Enable
firewall http activex-blocking enable Use firewall http activex-blocking enable to enable the ActiveX blocking function and add the default blocking keyword .ocx to the ActiveX blocking suffix list. Use undo firewall http activex-blocking enable to disable the ActiveX blocking function. Syntax firewall http activex-blocking enable undo firewall http activex-blocking enable...
Page 419: Firewall Http Java-Blocking Acl
Examples # Add .vbs to the ActiveX blocking suffix list. <Sysname> system-view [Sysname] firewall http activex-blocking suffix .vbs Related commands display firewall http activex-blocking firewall http java-blocking acl Use firewall http java-blocking acl to specify an ACL for Java blocking. Use undo firewall http java-blocking acl to cancel the configuration.
Page 420: Firewall Http Java-Blocking Suffix
undo firewall http java-blocking enable Default The Java blocking function is disabled. Views System view Default command level 2: System level Examples # Enable the Java blocking function. <Sysname> system-view [Sysname] firewall http java-blocking enable Related commands display firewall http java-blocking firewall http java-blocking suffix Use firewall http java-blocking suffix to add a Java blocking suffix keyword to the Java blocking suffix list.
Page 421: Firewall Http Url-Filter Host Acl
firewall http url-filter host acl Use firewall http url-filter host acl to specify an ACL for URL address filtering. Use undo firewall http url-filter host acl to cancel the configuration. Syntax firewall http url-filter host acl acl-number undo firewall http url-filter host acl Default No ACL is specified for URL address filtering.
Page 422: Firewall Http Url-Filter Host Enable
Views System view Default command level 2: System level Parameters deny: Denies web requests. permit: Permits web requests. Examples # Specify the default filtering action as permit. <Sysname> system-view [Sysname] firewall http url-filter host default permit Related commands display firewall http url-filter host firewall http url-filter host enable Use firewall http url-filter host enable to enable the URL address filtering function.
Page 423: Firewall Http Url-Filter Host Url-Address
Default The URL address filtering function denies web requests using IP addresses for access to websites. Views System view Default command level 2: System level Parameters deny: Specifies to deny a web request whose destination URL is present in IP address. permit: Specifies to permit a web request whose destination URL is present in IP address.
Page 424: Firewall Http Url-Filter Parameter
Table 71 Wildcard meanings Wildcard Meaning Usage guidelines Matches website addresses It can be present once at the starting with the keyword beginning of a filtering entry. Matches website addresses It can be present once at the end ending with the keyword of a filtering entry.
Page 425 Syntax firewall http url-filter parameter { default | keywords keywords } undo firewall http url-filter parameter [ default | keywords keywords ] Views System view Default command level 2: System level Parameters default: Specifies to use the default parameter filtering entries, including: ^select$, ^insert$, ^update$, ^delete$, ^drop$, --, ', ^exec$, and %27.
Page 426: Firewall Http Url-Filter Parameter Enable
Examples # Add select to the parameter filtering entry list. <Sysname> system-view [Sysname] firewall http url-filter parameter keywords select Related commands display firewall http url-filter parameter firewall http url-filter parameter enable Use firewall http url-filter parameter enable to enable the URL parameter filtering function. Use undo firewall http url-filter parameter enable to disable the URL parameter filtering function.
Page 427 url-filter parameter: Specifies URL parameter filtering statistics. counter: Specifies to clear statistics. Examples # Clear URL address filtering statistics. <Sysname> reset firewall http url-filter host counter...
Page 428: Attack Detection And Protection Configuration Commands
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.
Page 429: Attack-Defense Policy
Default Attack protection logging is disabled. Views System view Default command level 2: System level Examples # Enable attack protection logging. <Sysname> system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view.
Page 430: Blacklist Enable
Syntax attack-defense tcp fragment enable undo attack-defense tcp fragment enable Default TCP fragment attack protection is disabled. Views System view Default command level 2: System level Usage guidelines This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks. Examples # Disable TCP fragment attack protection.
Page 431: Blacklist Ip
blacklist ip Use blacklist ip to add a blacklist entry. After an IP address is added to the blacklist, the device filters all packets from it. Use undo blacklist to delete blacklist entries or cancel the aging time configuration of a blacklist entry.
Page 432: Defense Icmp-Flood Enable
Default The device does not process the attack packets if it detects an ICMP flood attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop ICMP flood attack packets. <Sysname>...
Page 433: Defense Icmp-Flood Ip
defense icmp-flood ip Use defense icmp-flood ip to configure the action and silence thresholds for ICMP flood attack protection of a specific IP address. Use undo defense icmp-flood ip to remove the configuration. Syntax defense icmp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense icmp-flood ip ip-address [ rate-threshold ] Default No ICMP flood attack protection thresholds are configured for an IP address.
Page 434: Defense Icmp-Flood Rate-Threshold
defense icmp-flood rate-threshold Use defense icmp-flood rate-threshold to configure the global action and silence thresholds for ICMP flood attack protection. The device uses the global attack protection thresholds to protect IP addresses for which you do not configure attack protection parameters specifically. Use undo defense icmp-flood rate-threshold to restore the default.
Page 435: Defense Scan Add-To-Blacklist
defense scan add-to-blacklist Use defense scan add-to-blacklist to enable the blacklist function for scanning attack protection. Use undo defense scan add-to-blacklist to restore the default. Syntax defense scan add-to-blacklist undo defense scan add-to-blacklist Default The blacklist function for scanning attack protection is not enabled. Views Attack protection policy view Default command level...
Page 436: Defense Scan Blacklist-Timeout
• defense scan enable • defense scan max-rate defense scan blacklist-timeout Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack protection. Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes. Syntax defense scan blacklist-timeout minutes undo defense scan blacklist-timeout...
Page 437: Defense Scan Max-Rate
Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold.
Page 438: Defense Syn-Flood Action
Related commands • blacklist enable • defense scan add-to-blacklist • defense scan blacklist-timeout • defense scan enable defense syn-flood action Use defense syn-flood action to specify the actions to be taken in response to SYN flood attack packets. Use undo defense syn-flood action to restore the default. Syntax defense syn-flood action { drop-packet | trigger-tcp-proxy } undo defense syn-flood action...
Page 439: Defense Syn-Flood Ip
Default SYN flood attack protection is disabled. Views Attack protection policy view Default command level 2: System level Examples # Enable SYN flood attack protection in attack protection policy 1. <Sysname> system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense syn-flood enable Related commands •...
Page 440: Defense Syn-Flood Rate-Threshold
of SYN packets destined for the specified IP address drops below the silence threshold, it considers that the attack is over, returns to attack detection state, and stops taking the protection measures. Usage guidelines You can specify a maximum of 32 protected IP addresses in each attack protection policy. Examples # Configure SYN flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000 packets per second and the silence threshold to 1000 packets per second.
Page 441: Defense Udp-Flood Action Drop-Packet
Usage guidelines Adjust the thresholds according to your actual network conditions. For the protected objects that usually have high SYN traffic, for example, HTTP server or FTP server, set a bigger action threshold to avoid impact on normal services. For poor network conditions, or attack-sensitive networks, you can set a smaller action threshold.
Page 442: Defense Udp-Flood Ip
Use undo defense udp-flood enable to restore the default. Syntax defense udp-flood enable undo defense udp-flood enable Default UDP flood attack protection is disabled. Views Attack protection policy view Default command level 2: System level Examples # Enable UDP flood attack protection in attack protection policy 1. <Sysname>...
Page 443: Defense Udp-Flood Rate-Threshold
packets destined for the specified IP address constantly reaches or exceeds the specified action threshold, the device considers the IP address to be under attack, enters attack protection state, and takes protection actions as configured. low rate-number: Sets the silence threshold for UDP flood attack protection of the specified IP address.
Page 444: Display Attack-Defense Policy
reaches or exceeds the specified action threshold, the device considers the IP address to be under attack, enters attack protection state, and takes protection actions as configured. low rate-number: Sets the global silence threshold for UDP flood attack protection. The rate-number argument indicates the number of UDP packets sent to an IP address per second and is in the range of 1 to 64000.
Page 445 Examples # Display configuration information about attack protection policy 1. <Sysname> display attack-defense policy 1 Attack-defense Policy Information ------------------------------------------------------------ Policy number Bound interfaces : GigabitEthernet3/0/1 ------------------------------------------------------------ Smurf attack-defense : Enabled ICMP redirect attack-defense : Disabled ICMP unreachable attack-defense : Disabled Large ICMP attack-defense : Enabled Max-length...
Page 446 SYN Flood attack-defense for specific IP addresses: High-rate(packets/s) Low-rate(packets/s) 192.168.1.1 1000 192.168.2.1 2000 1000 Table 73 Command output Filed Description Policy number Sequence number of the attack protection policy. Bound interfaces Interfaces to which the attack protection policy is applied. Smurf attack-defense Indicates whether Smurf attack protection is enabled.
Page 447: Display Attack-Defense Statistics Interface
Filed Description UDP flood low-rate Global silence threshold for UDP flood attack protection. UDP flood attack on IP UDP flood attack protection settings for specific IP addresses. SYN flood attack-defense Indicates whether SYN flood attack is enabled. Action to be taken when a SYN flood attack is detected. It can SYN flood action be Drop-packet (dropping subsequent packets) or Syslog (outputting an alarm log).
Page 448 <Sysname> display attack-defense statistics interface gigabitethernet 3/0/1 Attack-defense Statistics Information ------------------------------------------------------------ Interface : GigabitEthernet3/0/1 ------------------------------------------------------------ Attack policy number Fraggle attacks Fraggle packets dropped : 100 ICMP redirect attacks ICMP redirect packets dropped : 100 ICMP unreachable attacks ICMP unreachable packets dropped : 100 LAND attacks LAND attack packets dropped...
Page 449: Display Blacklist
Field Description LAND attacks Number of detected Land attacks. LAND attack packets dropped Number of Land packets dropped. Large ICMP attacks Number of detected large ICMP attacks. Large ICMP packets dropped Number of large ICMP packets dropped. Route record attacks Number of detected Route Record attacks.
Page 450 Views Any view Default command level 1: Monitor level Parameters all: Displays information about all blacklist entries. ip source-ip-address: Displays information about the blacklist entry for an IP address. source-ip-address indicates the IP address, which cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
Page 451: Display Flow-Statistics Statistics
Field Description Type of the blacklist entry: • manual—The entry was added manually. Type • auto—The entry was added automatically by the scanning attack protection function. Aging started Time when the blacklist entry is added. Aging time of the blacklist entry. Never means that the entry never Aging finished gets aged.
Page 452 chassis chassis-number slot slot-number: Displays traffic statistics on a card of an IRF member device. The chassis-number argument refers to the ID of the IRF member device. The slot-number argument refers to the number of the slot where the card resides. (In IRF mode.) |: Filters command output by specifying a regular expression.
Page 453: Display Flow-Statistics Statistics Interface
display flow-statistics statistics interface Use display flow-statistics statistics interface to display the traffic statistics of an interface. Syntax display flow-statistics statistics interface interface-type interface-number { inbound | outbound } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 454: Display Tcp-Proxy Protected-Ip
Table 77 Command output Field Description Total number of existing sessions Total number of connections. Session establishment rate Connection establishment rate. TCP sessions Number of TCP connections. Half-open TCP sessions Number of half-open connections. Half-close TCP sessions Number of half-close connections. TCP session establishment rate TCP connection establishment rate.
Page 455: Flow-Statistics Enable
Examples # Display information about all IP addresses protected by the TCP proxy function. <Sysname> display tcp-proxy protected-ip Protected IP Port Number Type Lifetime(min) Rejected packets 1.1.1.1 Dynamic Table 78 Command output Field Description Protected IP IP address under the protection of TCP proxy. Destination port number of the TCP connection request.
Page 456: Reset Attack-Defense Statistics Interface
<Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] flow-statistics enable destination-ip # You can use the following command to view statistics on packets sent out of the interface with the destination IP address being 2.2.2.2 (you can specify the destination IP address as needed). [Sysname-GigabitEthernet3/0/1] display flow-statistics statistics destination-ip 2.2.2.2 Related commands display flow-statistics statistics...
Page 457: Signature-Detect Action Drop-Packet
Parameters fraggle: Specifies the Fraggle packet attack. icmp-redirect: Specifies the ICMP redirect packet attack. icmp-unreachable: Specifies the ICMP unreachable packet attack. land: Specifies the Land packet attack. large-icmp: Specifies the large ICMP packet attack. route-record: Specifies the route record packet attack. smurf: Specifies the Smurf packet attack.
Page 458: Signature-Detect Large-Icmp Max-Length
signature-detect large-icmp max-length Use signature-detect large-icmp max-length to specify the ICMP packet length threshold that triggers large ICMP attack protection. Use undo signature-detect large-icmp max-length to restore the default. Syntax signature-detect large-icmp max-length length undo signature-detect large-icmp max-length Default An ICMP packet length of 4000 bytes triggers large ICMP attack protection. Views Attack protection policy view Default command level...
Page 459: Tcp-Proxy Mode
Views Interface view Default command level 2: System level Usage guidelines Usually, the TCP proxy function is used on a device's interfaces connected to external networks to protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection actions configured by using the defense syn-flood action command.
Page 460 Related commands • tcp-proxy enable • display tcp-proxy protected-ip...
Page 461: Tcp Attack Protection Configuration Commands
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters...
Page 462: Tcp Anti-Naptha Enable
098c3280 0.0.0.0:23 0.0.0.0:0 Listening 098c3d20 0.0.0.0:646 0.0.0.0:0 Listening Table 79 Command output Field Description If the status information about a TCP connection contains an asterisk (*), the *: TCP MD5 Connection TCP adopts the MD5 algorithm for authentication. TCPCB TCP control block. Local Add:port Local IP address and port number.
Page 463: Tcp Syn-Cookie Enable
undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number Default The maximum number of TCP connections in each state is 5. Views System view Default command level 2: System level Parameters closing: Specifies the CLOSING state of a TCP connection. established: Specifies the ESTABLISHED state of a TCP connection.
Page 464: Tcp Timer Check-State
Views System view Default command level 2: System level Examples # Enable the SYN Cookie feature. <Sysname> system-view [Sysname] tcp syn-cookie enable tcp timer check-state Use tcp timer check-state to configure the TCP connection state check interval. Use undo tcp timer check-state to restore the default. Syntax tcp timer check-state time-value undo tcp timer check-state...
Page 465: Ip Source Guard Configuration Commands
IP source guard configuration commands IP source guard configuration commands are available only for SAP interface modules operating in Layer 2 mode. display ip source binding Use display ip source binding to display IPv4 source guard entries. Syntax In standalone mode: display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]...
Page 466: Ip Source Binding
When you use the static keyword, the command displays static IPv4 source guard entries. If you specify neither a port nor an interface card, the command displays static IPv4 source guard entries on all ports. Examples # Display all IPv4 source guard entries. <Sysname>...
Page 467: Ip Verify Source
undo ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] Default No static IPv4 binding entry exists on a port. Views Layer 2 Ethernet interface view Default command level 2: System level Parameters ip-address ip-address: Specifies the IPv4 address for the static binding entry.
Page 468: Ip Verify Source Max-Entries
Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port. Usage guidelines After you enable the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries or the DHCP-relay entries, and all static IPv4 source guard entries on the port become effective.
Page 469 Usage guidelines If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected. New IPv4 binding entries, however, cannot be added any more unless the number of IPv4 binding entries on the port drops below the configured maximum.
Page 470: Arp Attack Protection Configuration Commands
ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is disabled.
Page 471: Arp Source-Suppression Limit
[Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP.
Page 472: Arp Packet Rate Limit Configuration Commands
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about the current ARP source suppression configuration.
Page 473: Arp Packet Source Mac Consistency Check Configuration Commands
slot slot-number: Specifies a card by its slot number. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument specifies the ID of the IRF member device. The slot-number argument specifies the slot number of the card. (In IRF mode.) Examples # Specify the ARP packet rate for the card in slot 1 as 50 pps, and exceeded packets are discarded.
Page 474: Authorized Arp Configuration Commands
Syntax arp anti-attack active-ack enable undo arp anti-attack active-ack enable Default The ARP active acknowledgement function is disabled. Views System view Default command level 2: System level Usage guidelines This feature is configured on gateway devices to identify invalid ARP packets. Examples # Enable the ARP active acknowledgement function.
Page 475: Arp Detection Configuration Commands
ARP detection configuration commands NOTE: The commands of this feature are supported only when SAP modules operate in bridge mode. arp detection Use arp detection to configure a user validity check rule. Use undo arp detection to restore the default. Syntax arp detection id-number { deny | permit } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ]...
Page 476: Arp Detection Enable
Examples # Configure a user validity check rule, and enable user validity check. <Sysname> system-view [Sysname] arp detection 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0607 ffff-ffff-0000 [Sysname] vlan 2 [Sysname-vlan2] arp detection enable Related commands arp detection enable arp detection enable Use arp detection enable to enable ARP detection.
Page 477: Arp Detection Validate
Examples # Configure GigabitEthernet 3/0/1 as an ARP trusted port. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check.
Page 478: Display Arp Detection
Default ARP restricted forwarding is disabled. Views VLAN view Default command level 2: System level Examples # Enable ARP restricted forwarding in VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection [ | { begin | exclude | include } regular-expression ] Views...
Page 479: Reset Arp Detection Statistics
Syntax display arp detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters interface interface-type interface-number: Displays the ARP detection statistics of a specific interface.
Page 480: Arp Automatic Scanning And Fixed Arp Configuration Commands
Syntax reset arp detection statistics [ interface interface-type interface-number ] Views User view Default command level 1: Monitor level Parameters interface interface-type interface-number: Clears the ARP detection statistics of a specific interface. Examples # Clear the ARP detection statistics of all interfaces. <Sysname>...
Page 481: Arp Scan
arp scan Use arp scan to enable ARP automatic scanning in the specified address range for neighbors. Syntax arp scan [ start-ip-address to end-ip-address ] Views Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view, Layer 3 aggregate interface view, Layer 3 aggregate sub-interface view Default command level 2: System level...
Page 482: Arp Filter Source
arp filter source Use arp filter source to enable ARP gateway protection for a specific gateway. Use undo arp filter source to disable ARP gateway protection for the specified gateway. Syntax arp filter source ip-address undo arp filter source ip-address Default ARP gateway protection is disabled.
Page 483 Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default command level 2: System level Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address. Usage guidelines You can configure up to eight ARP filtering entries on a port. You cannot configure both arp filter source and arp filter binding commands on a port.
Page 484: Nd Attack Defense Configuration Commands
ND attack defense configuration commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.
Page 485: Urpf Configuration Commands
URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled.
Page 486: Fips Configuration Commands
FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled Related commands fips mode enable...
Page 487: Fips Self-Test
Configure the username and password to log in to the device in FIPS mode. The password must include at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. Delete all MD5-based digital certificates. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
Page 488 If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms. <Sysname> system-view [Sysname] fips self-test Self-tests are running. Please wait... Self-tests succeeded.
Page 489: Group Domain Vpn Commands
Group Domain VPN commands KS configuration commands display gdoi ks Use display gdoi ks to display GDOI KS information. Syntax display gdoi ks [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
Page 490 <Sysname> display gdoi ks Group Name: abc Group identity Group members Redundancy : Enabled Local address : 105.112.100.2 Local version : 1.0 Local priority : 10 Local role : Primary Hello interval : 20 sec Hello number Retransmit interval : 10 sec Retransmit attempts Rekey transport type : Multicast...
Page 491: Display Gdoi Ks Acl
ACL configured : 3001 Table 83 Command output Field Description Group Name Name of the GDOI KS group. KS group identity, a number or an IPv4 address. If no identity is configured, Group identity this field is blank. Group members Number of online GMs in the GDOI KS group.
Page 492: Display Gdoi Ks Members
<Sysname> display gdoi ks acl group abc Group Name: abc ACL abc rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0 rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.255 rule 2 permit ip # Display ACLs referenced by all GDOI KS groups. <Sysname>...
Page 493: Display Gdoi Ks Policy
If you do not specify the ip ip-address option, the command displays information about all online GMs in the specified GDOI KS group. If you do not specify any parameter, the command displays information about all online GMs in all GDOI KS groups.
Page 494 Syntax display gdoi ks policy [ group group-name ] Views User view Default command level 1: Monitor level Parameters group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays policy information for all GDOI KS groups.
Page 495: Display Gdoi Ks Redundancy
Field Description Remaining lifetime Remaining time of the KEK or TEK lifetime. Signature key name Name of the key pair used for signature. Encapsulation IPsec encapsulation mode for IP packets: Tunnel or Transport. Number or name of the ACL referenced. Transform Name of the IPsec transform set referenced.
Page 496: Display Gdoi Ks Rekey
Peer address : 172.1.1.1 Peer version : 1.0 Peer priority : 100 Peer role : Secondary Peer status : Ready Table 87 Command output Field Description Group Name GDOI KS group name. Role of the local KS in the redundancy: •...
Page 497 Examples # Display rekey information for all GDOI KS groups. <Sysname> display gdoi ks rekey Group Name: handl Rekey transport type : Multicast Number of rekeys sent Number of rekeys retransmitted Retransmit period : 10 sec Number of retransmissions : 10 Multicast destination address : 230.1.1.1 KEK rekey lifetime...
Page 498: Gdoi Ks Group
Field Description Remaining lifetime Remaining time of the KEK or IPsec SA, in seconds. gdoi ks group Use gdoi ks group to create a GDOI KS group and enter GDOI KS group view. Use undo gdoi ks group to delete a GDOI KS group. Syntax gdoi ks group group-name undo gdoi ks group group-name...
Page 499: Gdoi Ks Rekey
Parameters port-number: Specifies a UDP port number in the range of 1 to 65535. Usage guidelines A GDOI KS uses the UDP port number configured in this command to send and receive redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use the same UDP port number.
Page 500: Identity Number
Syntax identity address address undo identity Default No IP address is configured for a GDOI KS group. Views GDOI KS group view Default command level 2: System level Parameters address: Specifies any valid IPv4 address to identify the GDOI KS group. Usage guidelines You can configure only one type of ID (either an IP address or a number) for a GDOI KS group.
Page 501: Ipsec
Examples # Configure the number of the GDOI KS group abc as 123456. <Sysname> system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] identity number 123456 Related commands • identity address • gdoi ks group ipsec Use ipsec to create an IPsec policy for the GDOI KS group and enter GDOI KS IPsec policy view. Use undo ipsec to delete an IPsec policy for the GDOI KS group.
Page 502: Peer Address
Syntax local priority priority undo local Default The local priority of the GDOI KS is 1. Views GDOI KS group view Default command level 2: System level Parameters priority: Specifies the local priority of the GDOI KS, in the range of 1 to 65535. A higher number represents a higher priority.
Page 503: Profile (Gdoi Ks Group Ipsec Policy View)
Default command level 2: System level Parameters ip-address: Specifies the IP address of a peer KS. Usage guidelines You can specify multiple peer KS IP addresses by executing this command multiple times. The peer IP address configuration takes effect only when KS redundancy is enabled with the redundancy enable command.
Page 504: Redundancy Enable
[Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] ipsec 10 [Sysname-gdoi-ks-group-abc-ipsec-10] profile profile1 [Sysname-gdoi-ks-group-abc-ipsec-10] Related commands • gdoi ks group • ipsec redundancy enable Use redundancy enable to enable GDOI KS redundancy. Use undo redundancy enable to disable GDOI KS redundancy. Syntax redundancy enable undo redundancy enable Default GDOI KS redundancy is disabled.
Page 505: Redundancy Retransmit
Default The redundancy hello packet sending interval for the primary KS is 20 seconds. A secondary KS initiates primary KS re-election when it failed to receive redundancy hello packets from the primary KS for 3 times consecutively. Views GDOI KS group view Default command level 2: System level Parameters...
Page 506: Rekey Acl
Default The retransmission interval is 10 seconds, and the maximum number of retransmissions is 2. Views GDOI KS group view Default command level 2: System level Parameters interval interval: Specifies the redundancy protocol packet retransmission interval in the range of 10 to 60 seconds.
Page 507: Rekey Authentication
Parameters access-list-number: Specifies an ACL by its number in the range of 3000 to 3999. name access-list-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If multicast rekey method is used, you must specify the rekey ACL. Otherwise, the KS cannot generate the KEK or send rekey messages.
Page 508: Rekey Encryption
Examples # Specify the rekey key pair as mykey for the GDOI KS group abc. <Sysname> system-view [Sysname]gdoi ks group abc [Sysname-gdoi-ks-group-abc] rekey authentication public-key rsa mykey Related commands gdoi ks group rekey encryption Use rekey encryption to specify the rekey encryption algorithm. Use undo rekey encryption to restore the default.
Page 509: Rekey Retransmit
Views GDOI KS group view Default command level 2: System level Parameters seconds number-of-seconds: Specifies a time-based lifetime for KEKs, in the range of 300 to 86400 seconds. Usage guidelines The TEK lifetime is the IPsec SA lifetime, which is determined by the IPsec SA lifetime configured in the IPsec profile.
Page 510: Rekey Transport Unicast
Related commands gdoi ks group rekey transport unicast Use rekey transport unicast to enable unicasting rekey messages. Use undo rekey transport unicast to restore the default. Syntax rekey transport unicast undo rekey transport unicast Default The KS multicasts rekey messages. Views GDOI KS group view Default command level...
Page 511: Reset Gdoi Ks Members
<Sysname> reset gdoi ks group abc reset gdoi ks members Use reset gdoi ks members to clear GM information saved on the KS, including the GM registration information and the TEKs/KEKs sent to GMs. Syntax reset gdoi ks members [ group group-name ] Views User view Default command level...
Page 512: Security Acl (Gdoi Ks Group Ipsec Policy View)
security acl (GDOI KS group IPsec policy view) Use security acl to reference an ACL for the GDOI KS IPsec policy. Use undo security acl to remove the referenced ACL. Syntax security acl { access-list-number | name access-list-name} undo security acl Default No ACL is referenced.
Page 513: Gm Configuration Commands
Views GDOI KS group view Default command level 2: System level Parameters ip-address: Specifies any valid IPv4 address. Usage guidelines Perform this task to specify the source address for GROUPKEY-PUSH protocol packets and redundancy protocol packets sent by the KS. Examples # Specify the source address for the GDOI KS group abc as 11.1.1.1.
Page 514: Display Gdoi Gm
<Sysname> system-view [Sysname] gdoi gm group abc [Sysname-gdoi-gm-group-abc] client registration interface gigabitethernet 1/0/1 Related commands gdoi gm group display gdoi gm Use display gdoi gm to display GDOI GM group information, including GDOI configuration parameters, negotiation parameters, and the IPsec information obtained after successful registrations.
Page 515 Attempted registrations : 1133 Last rekey from : 90.1.1.1 Last rekey seq num Multicast rekeys received: 1 Allowable rekey cipher : Any Allowable rekey hash : Any Allowable transform : Any Rekeys Cumulative Total received After latest registration: 3 Rekey received (hh:mm:ss): 00:02:11 ACL Downloaded From KS 90.1.1.1: rule 0 deny udp source-port eq 848 destination-port eq 848 rule 1 deny ospf...
Page 516 Field Description Rekeys Received Number of rekey messages received. IPsec SA direction: Both or Inbound (not supported at IPsec SA Direction present). KS IP address list in the GDOI GM group. The list can Group Server List contain eight addresses at most. Group Member IP address of the GM.
Page 517: Display Gdoi Gm Acl
Field Description Indicates that any UDP packets whose source and rule 0 deny udp source-port eq 848 destination port numbers are both 848 do not need to destination-port eq 848 be protected by IPsec. Indicates that OSPF protocol packets do not need to be rule 1 deny ospf protected by IPsec.
Page 518 exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameter, the command displays information about all ACLs for all GMs, including the downloaded ACLs and the locally configured ACLs.
Page 519: Display Gdoi Gm Ipsec Sa
Field Description Indicates that IPsec does not protect IP packets whose rule 0 deny ip source 10.1.1.0 0.0.0.255 source and destination addresses are within subnet destination 10.1.1.0 0.0.0.255 10.1.1.0/24. display gdoi gm ipsec sa Use display gdoi gm ipsec sa to display IPsec SA information obtained by GMs. Syntax display gdoi gm ipsec sa [ group group-name ] [ | { begin | exclude | include } regular-expression ]...
Page 520: Display Gdoi Gm Members
SA timing: remaining key lifetime (sec): 190 Anti-replay detection: Disabled Table 91 Command output Field Description Interface Name of the interface bound to the IPsec SA. Transform Transform set. remaining key lifetime (sec) Remaining lifetime of the IPsec SA, in seconds. Time-based anti-replay window size, in seconds.
Page 521 Registration status : Registered Registered with : 90.1.1.1 Re-register in : 308 sec Succeeded registrations : 1131 Attempted registrations : 1139 Last rekey from : 90.1.1.1 Last rekey seq num Multicast rekeys received: 1 Allowable rekey cipher : Any Allowable rekey hash : Any Allowable transform : Any...
Page 522: Display Gdoi Gm Pubkey
Field Description The rekey transform mode that the GM allows. Any Allowable transform indicates that the GM allows all transform modes. display gdoi gm pubkey Use display gdoi gm pubkey to display the public key information received by GMs. Syntax display gdoi gm pubkey [ group group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 523: Display Gdoi Gm Rekey
display gdoi gm rekey Use display gdoi gm rekey to display rekey information for GMs. Syntax display gdoi gm rekey [ verbose ] [ group group-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters...
Page 524: Gdoi Gm Group
Destination Source Conn-ID My Cookie His Cookie : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504 Current : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504 Previous : --- Table 94 Command output Field Description Group Name GDOI GM group name. Unicast Indicates the rekey transport type is unicast. Multicast Indicates the rekey transport type is multicast.
Page 525: Group
The device supports 64 GDOI GM groups at most. Examples # Create a GDOI GM group named abc, and enter its view. <Sysname> system-view [Sysname] gdoi gm group abc [Sysname-gdoi-gm-group-abc] Related commands display gdoi gm group Use group to specify the GDOI GM group to be referenced by the GDOI IPsec policy. Use undo group to remove the GDOI GM group referenced by the GDOI IPsec policy.
Page 526: Reset Gdoi Gm
Use undo identity to delete the GDOI GM group ID. Syntax identity { address ip-address | number number } undo identity Default No ID is configured for a GDOI GM group. Views GDOI GM group view Default command level 2: System level Parameters address ip-address: Specifies any valid IPv4 address to identify the GDOI GM group.
Page 527: Server Address
Parameters group group-name: Clears the GDOI information of GMs in a GDOI GM group. The group-name argument specifies the name of a GDOI GM group, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command displays GDOI information for all GMs. Examples # Clear the GDOI information for GMs, and trigger the GMs to re-register with the KS.
Page 528: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 529: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 530: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 531: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 532 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 533: Index
Index A B C D E F G H I K L M N O P Q R S T U V W authentication ppp,13 authentication super,14 aaa nas-id profile,1 authentication-algorithm,302 access-limit,35 authentication-method,302 access-limit enable,1 authorization command,15 access-user detect,140 authorization default,16 accounting command,2...
Page 534 defense icmp-flood enable,419 display gdoi ks policy,480 defense icmp-flood ip,420 display gdoi ks redundancy,482 defense icmp-flood rate-threshold,421 display gdoi ks rekey,483 defense scan add-to-blacklist,422 display hwtacacs,85 defense scan blacklist-timeout,423 display ike dpd,304 defense scan enable,423 display ike peer,305 defense scan max-rate,424 display ike proposal,306...
Page 535 display stop-accounting-buffer (for HWTACACS),88 firewall http activex-blocking enable,405 display stop-accounting-buffer (for RADIUS),58 firewall http activex-blocking suffix,405 display tcp status,448 firewall http java-blocking acl,406 display tcp-proxy protected-ip,441 firewall http java-blocking enable,406 display user-group,42 firewall http java-blocking suffix,407 display user-profile,190 firewall http url-filter host acl,408 Documentation feedback,518...
Page 536 interval-time,319 organization,242 ip (PKI entity view),241 organization-unit,243 pool,32 ip source binding,453 password,46 urpf,472 password,195 ip verify source,454 password-control { aging | composition | history | ip verify source max-entries,455 length } enable,197 ipsec,488 password-control aging,198 ipsec anti-replay check,274 password-control alert-before-expire,199 ipsec anti-replay window,275 password-control...
Page 537 portal server,164 redundancy retransmit,492 portal server method,166 rekey acl,493 portal server server-detect,167 rekey authentication,494 portal server user-sync,168 rekey encryption,495 port-mapping,374 rekey lifetime,495 port-security authorization ignore,177 rekey retransmit,496 port-security enable,178 rekey transport unicast,497 port-security intrusion-mode,179 Remote support,518 port-security mac-address aging-type inactivity,179 remote-address,324 port-security mac-address dynamic,180...
Page 538 authentication-hex,292 ssh server rekey-interval,335 duration,293 user,336 duration,327 ssh2,357 encryption-hex,294 ssh2 ipv6,359 spi,295 state,251 string-key,296 state (ISP domain view),35 scp,348 state (local user view),48 secondary accounting (HWTACACS scheme state primary,78 view),98 state secondary,78 secondary accounting (RADIUS scheme view),72 stop-accounting-buffer enable (HWTACACS secondary authentication (HWTACACS scheme scheme view),101...

HPE FlexNetwork HSR6800 Security Command Reference

AAA Configuration Commands

802.1X Commands

EAD Fast Deployment Commands

MAC Authentication Configuration Commands

Portal Configuration Commands

Port Security Configuration Commands

User Profile Configuration Commands

Password Control Configuration Commands

RSH Configuration Commands

Public Key Configuration Commands

PKI Configuration Commands

Ipsec Configuration Commands

Quick Links

Related Manuals for HPE FlexNetwork HSR6800

Summary of Contents for HPE FlexNetwork HSR6800