HP 3600 v2 Series Command Reference Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Switch
  5. 3600 v2 Series
  6. Command reference manual
HP 3600 v2 Series Command Reference Manual

HP 3600 v2 Series Command Reference Manual

Hide thumbs Also See for 3600 v2 Series:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Command Reference Manual
HP 3600 v2 Switch Series
Security

Command Reference

Part number: 5998-2366
Software version: Release 2101
Document version: 6W101-20130930

Advertisement

Table of Contents
loading

Related Manuals for HP 3600 v2 Series

Summary of Contents for HP 3600 v2 Series

  • Page 1: Command Reference

    HP 3600 v2 Switch Series Security Command Reference Part number: 5998-2366 Software version: Release 2101 Document version: 6W101-20130930...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents AAA configuration commands ···································································································································· 1   General AAA configuration commands ························································································································· 1   aaa nas-id profile ····················································································································································· 1   access-limit enable ··················································································································································· 1   accounting command ··············································································································································· 2   accounting default ···················································································································································· 3   accounting lan-access ·············································································································································· 3   accounting login ·······················································································································································...
  • Page 4 data-flow-format (RADIUS scheme view) ············································································································· 41   display radius scheme ·········································································································································· 42   display radius statistics ········································································································································· 44   display stop-accounting-buffer (for RADIUS) ······································································································· 48   key (RADIUS scheme view)··································································································································· 49   nas device-id ·························································································································································· 50   nas-backup-ip ························································································································································· 51  ...
  • Page 5 vpn-instance (HWTACACS scheme view) ·········································································································· 95   RADIUS server configuration commands ····················································································································· 95   authorization-attribute (RADIUS-server user view) ······························································································ 95   description (RADIUS-server user view) ················································································································ 96   expiration-date (RADIUS-server user view) ········································································································· 97   password (RADIUS-server user view) ··················································································································· 97  ...
  • Page 6 portal auth-network ·············································································································································· 148   portal backup-group ············································································································································ 149   portal delete-user ················································································································································· 150   portal domain ······················································································································································ 150   portal free-rule ······················································································································································ 151   portal local-server ················································································································································ 152   portal local-server enable ··································································································································· 153   portal local-server ip············································································································································ 154  ...
  • Page 7 Public key configuration commands ······················································································································ 195   display public-key local public ··························································································································· 195   display public-key peer ······································································································································· 196   peer-public-key end ············································································································································· 198   public-key-code begin ········································································································································· 198   public-key-code end ············································································································································ 199   public-key local create ········································································································································ 200  ...
  • Page 8 display ipsec sa ··················································································································································· 235   display ipsec statistics ········································································································································· 237   encapsulation-mode ············································································································································ 238   esp authentication-algorithm ······························································································································ 239   esp encryption-algorithm ···································································································································· 240   ipsec policy ·························································································································································· 240   ipsec proposal ····················································································································································· 241   proposal ······························································································································································· 242   reset ipsec sa ·······················································································································································...
  • Page 9 rmdir ····································································································································································· 273   sftp········································································································································································· 273   sftp client ipv6 source ········································································································································· 274   sftp client source ·················································································································································· 275   sftp ipv6 ································································································································································ 275   SSL configuration commands ································································································································· 278   ciphersuite ···························································································································································· 278   client-verify enable ·············································································································································· 279   client-verify weaken ·············································································································································...
  • Page 10 ···················································································································································· 329   blacklist ip ···························································································································································· 329   display blacklist ··················································································································································· 330   Support and other resources ·································································································································· 332   Contacting HP ······························································································································································ 332   Subscription service ············································································································································ 332   Related information ······················································································································································ 332   Documents ···························································································································································· 332  ...

  • Page 11: Aaa Configuration Commands

    AAA configuration commands General AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. Description Use the aaa nas-id profile command to create a NAS ID profile and enter its view.

  • Page 12: Accounting Command

    Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Description Use the access-limit enable command to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users will be accepted. Use the undo access-limit enable command to restore the default.

  • Page 13: Accounting Default

    [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 14: Accounting Login

    undo accounting lan-access View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use the accounting lan-access command to configure the accounting method for LAN users.

  • Page 15: Accounting Optional

    local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use the accounting login command to configure the accounting method for login users (users logging in through the console, AUX, or Asyn port or accessing through Telnet).

  • Page 16: Accounting Portal

    communication with the current accounting server fails. However, the switch will not send real-time accounting updates for the user anymore. The accounting optional feature applies to scenarios where accounting is not important. NOTE: After you configure the accounting optional command, the setting configured by the access-limit command in local user view is not effective.

  • Page 17: Authentication Default

    [Sysname] domain test [Sysname-isp-test] accounting portal radius-scheme rd local authentication default Syntax authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a...

  • Page 18: Authentication Login

    View ISP domain view Default level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use the authentication lan-access command to configure the authentication method for LAN users. Use the undo authentication lan-access command to restore the default.

  • Page 19: Authentication Portal

    none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use the authentication login command to configure the authentication method for login users (users logging in through the console, AUX, or Asyn port or accessing through Telnet or FTP). Use the undo authentication login command to restore the default.

  • Page 20: Authentication Super

    Related commands: local-user, authentication default, and radius scheme. Examples # Configure ISP domain test to use local authentication for portal users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication portal local # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.

  • Page 21: Authorization Command

    [Sysname-domain-test] authentication super hwtacacs-scheme tac authorization command Syntax authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } undo authorization command View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 22: Authorization Lan-Access

    undo authorization default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the switch, and other login users can access only the commands of Level 0.

  • Page 23: Authorization Login

    Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use the authorization lan-access command to configure the authorization method for LAN users.

  • Page 24: Authorization Portal

    radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use the authorization login command to configure the authorization method for login users (users logging in through the console, AUX, or Asyn port or accessing through Telnet or FTP). Use the undo authorization login command to restore the default.

  • Page 25: Authorization-Attribute User-Profile

    The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Related commands: local-user, authorization default, and radius scheme. Examples # Configure ISP domain test to use local authorization for portal users.

  • Page 26: Cut Connection

    cut connection Syntax cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ] View System view Default level...

  • Page 27: Display Connection

    An interface that is configured with a mandatory authentication domain treats users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X mandatory authentication domain on an interface, the interface uses the domain’s AAA methods for all its 802.1X users.
  • Page 28 |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 29: Display Domain

    IPv6=N/A Access=Admin ,AuthMethod=PAP Port Type=Virtual ,Port Name=N/A Initial VLAN=999, Authorized VLAN=20 ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable Start=2011-01-16 10:53:03 ,Current=2011-01-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Slot: Total 0 connection matched. Table 1 Output description Field Description Username Username of the connection, in the format username@domain MAC address of the user IPv4 address of the user IPv6...
  • Page 30 begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display domain command to display the configuration information of ISP domains.

  • Page 31: Domain

    Table 2 Output description Field Description Domain ISP domain name. Status of the ISP domain, active or blocked. Users in an active ISP State domain can request network services, and users in a blocked ISP domain cannot. Limit on the number of user connections. If there is no limit on the Access-limit number, the value of this field is Disabled.

  • Page 32: Domain Default Enable

    Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that contains no forward slash (/), backward slash (\), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), vertical bar (|), quotation mark ("), or the @ sign. Description Use the domain isp-name command to create an ISP domain and enter ISP domain view.

  • Page 33: Idle-Cut Enable

    To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the domain default disable command. Related commands: domain, state, and display domain. Examples # Create a new ISP domain named test, and configure it as the default ISP domain. <Sysname>...

  • Page 34: Nas-Id Bind Vlan

    nas-id bind vlan Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id View NAS ID profile view Default level 2: System level Parameters nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters vlan-id: ID of the VLAN to be bound with the NAS ID, in the range of 1 to 4094. Description Use the nas-id bind vlan command to bind a NAS ID with a VLAN.

  • Page 35: State (Isp Domain View)

    Description Use the self-service-url enable command to enable the self-service server location function and specify the URL of the self-service server. Use the undo self-service-url enable command to restore the default. By default, the self-service server location function is disabled. With the self-service function, users can manage and control their accounts and passwords.

  • Page 36: Local User Configuration Commands

    Local user configuration commands access-limit Syntax access-limit max-user-number undo access-limit View Local user view Default level 3: Manage level Parameters max-user-number: Maximum number of concurrent users of the current local user account, in the range of 1 to 1024. Description Use the access-limit command to limit the number of concurrent users of a local user account.
  • Page 37 Parameters acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL. callback-number callback-number: Specifies the authorization PPP callback number. callback-number is a case-sensitive string of 1 to 64 characters.

  • Page 38: Bind-Attribute

    Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

  • Page 39: Display Local-User

    Description Use the bind-attribute command to configure binding attributes for a local user. Use the undo bind-attribute command to remove binding attributes of a local user. By default, no binding attribute is configured for a local user. Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user fails the checking and the authentication.
  • Page 40 vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094. slot slot-number: Specifies the local users on an IRF member switch. The slot-number argument represents the ID of the IRF member switch. The value range for the argument depends on the number of member switches and their member IDs in the IRF fabric.

  • Page 41: Display User-Group

    Field Description Current AccessNum Current number of user connections that use the current username Maximum number of user connections that use the current Max AccessNum username Bind attributes Binding attributes of the local user VLAN ID VLAN to which the user is bound Calling Number Calling number bound for the ISDN user Authorization attributes...

  • Page 42: Expiration-Date (Local User View)

    The contents of user group abc: Authorization attributes: Idle-cut: 120(min) Work Directory: FLASH: Level: Acl Number: 2000 Vlan ID: User-Profile: Callback-number: Total 1 user group(s) matched. expiration-date (local user view) Syntax expiration-date time undo expiration-date View Local user view Default level 3: Manage level Parameters time:...

  • Page 43: Group

    group Syntax group group-name undo group View Local user view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the group command to assign a local user to a user group. Use the undo group command to restore the default.

  • Page 44: Local-User

    The guest attribute is set for the system predefined user group system by default, and you cannot remove the attribute for the user group. Examples # Set the guest attribute for user group test. <Sysname> system-view [Sysname] user-group test [Sysname-ugroup-test] group-attribute allow-guest local-user Syntax local-user user-name...

  • Page 45: Local-User Password-Display-Mode

    [Sysname-luser-user1] local-user password-display-mode Syntax local-user password-display-mode { auto | cipher-force } undo local-user password-display-mode View System view Default level 2: System level Parameters auto: Displays the password of a local user in the mode that is specified for the user by using the password command.

  • Page 46: Service-Type

    Default level 2: System level Parameters cipher: Displays the password in cipher text. simple: Displays the password in plain text. password: Password for the local user, case sensitive. It must be in plain text if you specify the simple keyword and can be in plain or cipher text if you specify the cipher keyword. A password in plain text must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc.

  • Page 47: State (Local User View)

    View Local user view Default level 3: Manage level Parameters ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users.

  • Page 48: User-Group

    Description Use the state command to set the status of a local user. Use the undo state command to restore the default. By default, a local user is in active state. By blocking a user, you disable the user from requesting network services. No other users are affected. Related commands: local-user.

  • Page 49: Validity-Date (Local User View)

    validity-date (local user view) Syntax validity-date time undo validity-date View Local user view Default level 3: Manage level Parameters time: Validity time local user, format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month.

  • Page 50: Attribute 25 Car

    View RADIUS scheme view Default level 2: System level Parameters seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15. The default is 3 seconds. send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255. The default is 50.

  • Page 51: Data-Flow-Format (Radius Scheme View)

    Description Use the attribute 25 car command to specify to interpret the RADIUS class attribute (attribute 25) as CAR parameters. Use the undo attribute 25 car command to restore the default. By default, RADIUS attribute 25 is not interpreted as CAR parameters. Related commands: display radius scheme and display connection.

  • Page 52: Display Radius Scheme

    display radius scheme Syntax display radius scheme [ radius-scheme-name ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters radius-scheme-name: RADIUS scheme name. slot slot-number: Specifies the RADIUS schemes on an IRF member switch. The slot-number argument represents the ID of an IRF member switch.
  • Page 53 VPN instance : N/A IP: 1.1.3.1 Port: 1812 State: active Encryption Key : N/A VPN instance : N/A Second Acct Server: IP: 1.1.2.1 Port: 1813 State: block Encryption Key : N/A VPN instance : N/A Auth Server Encryption Key : 123 Acct Server Encryption Key : N/A VPN instance Accounting-On packet disable, send times : 50 , interval : 3s...

  • Page 54: Display Radius Statistics

    Field Description MPLS L3VPN that the server belongs to. If no VPN instance is specified for VPN instance the server, the value of this field is N/A. Shared key for secure authentication communication, in cipher text or plain Auth Server Encryption Key text.
  • Page 55 Parameters slot slot-number: Specifies the RADIUS packet statistics for an IRF member switch. The slot-number argument represents the ID of the IRF member switch. The value range for the argument depends on the number of member switches and their member IDs in the IRF fabric. |: Filters command output by specifying a regular expression.
  • Page 56 RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14 EAP auth replying Num = 0 Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0 SndMSG_Fail_sum Timer_Err Alloc_Mem_Err State Mismatch...
  • Page 57 Field Description Statistics for RADIUS messages received and sent by the RADIUS Running statistic module RADIUS received messages statistic Statistics for received RADIUS messages Normal auth request Number of normal authentication requests EAP auth request Number of EAP authentication requests Account request Number of accounting requests Account off request...

  • Page 58: Display Stop-Accounting-Buffer (For Radius)

    display stop-accounting-buffer (for RADIUS) Syntax display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for...

  • Page 59: Key (Radius Scheme View)

    Examples # Display information about the stop-accounting requests buffered for user abc. <Sysname> display stop-accounting-buffer user-name abc Slot RDIdx Session-ID user name Happened time 1000326232325010 23:27:16-03/31/2011 1000326232326010 23:33:01-03/31/2011 Total 2 record(s) Matched key (RADIUS scheme view) Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication } View RADIUS scheme view...

  • Page 60: Nas Device-Id

    <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key authentication cipher IT8Q4sHnitM= [Sysname-radius-radius1] display this radius scheme radius1 key authentication cipher IT8Q4sHnitM= # For RADIUS scheme radius1, set the shared key for secure accounting communication to the plaintext string ok and specify to display the key in plain text. <Sysname>...

  • Page 61: Nas-Backup-Ip

    By default, a switch works in standalone mode and has no device ID. Configuring or changing the device ID of a switch logs out all online users of the switch. The two switches working in stateful failover mode must use the device IDs of 1 and 2 respectively. The device ID is the symbol for stateful failover mode.

  • Page 62: Nas-Ip (Radius Scheme View)

    Related commands: nas-ip and radius nas-ip. Examples # For a switch working in stateful failover mode, set the source IP address and backup source IP address for outgoing RADIUS packets to 2.2.2.2 and 3.3.3.3, respectively. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip 2.2.2.2 [Sysname-radius-radius1] nas-backup-ip 3.3.3.3 On the backup switch, you must set the source IP address and backup source IP address for outgoing...

  • Page 63: Primary Accounting (Radius Scheme View)

    NOTE: The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Related commands: radius nas-ip.

  • Page 64: Primary Authentication (Radius Scheme View)

    Use the undo primary accounting command to remove the configuration. By default, no primary RADIUS accounting server is specified. The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version. The IP addresses of the primary and secondary accounting servers must be different from each other; otherwise, the configuration fails.
  • Page 65 port-number: Service port number of the primary authentication/authorization server, a UDP port number in the range of 1 to 65535. The default is 1812. key [ cipher | simple ] key: Specifies the shared key (case sensitive) for secure communication with the primary RADIUS authentication/authorization server.

  • Page 66: Radius Client

    radius client Syntax radius client enable undo radius client View System view Default level 2: System level Parameters None Description Use the radius client enable command to enable the RADIUS listening port of a RADIUS client. Use the undo radius client command to disable the RADIUS listening port of a RADIUS client. By default, the RADIUS listening port is enabled.

  • Page 67: Radius Nas-Ip

    Parameters ip-address: Backup source IP address for outgoing RADIUS packets. It must be the source IP address for outgoing RADIUS packets that is configured on the backup switch for stateful failover and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the backup source IP address belongs to.

  • Page 68: Radius Scheme

    Default level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the switch that is neither a loopback address nor a link-local address.

  • Page 69: Radius Trap

    Default level 3: Manage level Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Description Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view. Use the undo radius scheme command to delete a RADIUS scheme. By default, no RADIUS scheme is defined.

  • Page 70: Reset Radius Statistics

    The status of a RADIUS server changes. If a NAS sends a request but receives no response before • the maximum number of attempts is exceeded, it places the server to blocked state and sends a trap message. If a NAS receives a response from a RADIUS server it considered unreachable, it considers that the RADIUS server is reachable again and also sends a trap message.

  • Page 71: Retry

    Parameters radius-scheme radius-scheme-name: Clears buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Clears the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.

  • Page 72: Retry Realtime-Accounting

    Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the switch does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the switch still receives no response from the RADIUS server, the switch considers the request a failure.

  • Page 73: Retry Stop-Accounting (Radius Scheme View)

    NOTE: The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets. Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command).

  • Page 74: Secondary Accounting (Radius Scheme View)

    NOTE: The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets. Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting attempts is 20 (set with the retry stop-accounting command).
  • Page 75 With neither the cipher keyword nor the simple keyword specified, the key must be a plaintext string • of 1 to 64 characters, and the key will be displayed in cipher text. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary RADIUS accounting server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.

  • Page 76: Secondary Authentication (Radius Scheme View)

    [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 key hello [Sysname-radius-radius2] secondary accounting 10.110.1.2 1813 key hello secondary authentication (RADIUS scheme view) Syntax secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * undo secondary authentication [ ipv4-address | ipv6 ipv6-address ] View...

  • Page 77: Security-Policy-Server

    The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version. The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails. If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.

  • Page 78: Server-Type

    Description Use the security-policy-server command to specify a security policy server for a RADIUS scheme. Use the undo security-policy-server command to remove security policy servers for a RADIUS scheme. By default, no security policy server is specified for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme.

  • Page 79: State Secondary

    View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Description Use the state primary command to set the status of a primary RADIUS server.

  • Page 80: Stop-Accounting-Buffer Enable (Radius Scheme View)

    ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Description Use the state secondary command to set the status of a secondary RADIUS server. By default, every secondary RADIUS server specified in a RADIUS scheme is in active state.

  • Page 81: Timer Quiet (Radius Scheme View)

    response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet. However, if you have removed the accounting server, stop-accounting messages are not buffered.

  • Page 82: Timer Realtime-Accounting (Radius Scheme View)

    [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 timer realtime-accounting (RADIUS scheme view) Syntax timer realtime-accounting minutes undo timer realtime-accounting View RADIUS scheme view Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60. Description Use the timer realtime-accounting command to set the real-time accounting interval.

  • Page 83: Timer Response-Timeout (Radius Scheme View)

    timer response-timeout (RADIUS scheme view) Syntax timer response-timeout seconds undo timer response-timeout View RADIUS scheme view Default level 2: System level Parameters seconds: RADIUS server response timeout period in seconds, in the range of 1 to 10. Description Use the timer response-timeout command to set the RADIUS server response timeout timer. Use the undo timer response-timeout command to restore the default.

  • Page 84: Vpn-Instance (Radius Scheme View)

    Description Use the user-name-format command to specify the format of the username to be sent to a RADIUS server. By default, the ISP domain name is included in the username. A username is generally in the format userid@isp-name, of which isp-name is used by the switch to determine the ISP domain to which a user belongs.

  • Page 85: Hwtacacs Configuration Commands

    <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] vpn-instance test HWTACACS configuration commands data-flow-format (HWTACACS scheme view) Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } View HWTACACS scheme view...
  • Page 86 View Any view Default level 2: System level Parameters hwtacacs-scheme-name: HWTACACS scheme name. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration information of the HWTACACS scheme. slot slot-number: Specifies the configuration information or statistics for an IRF member switch. The slot-number argument represents the ID of the IRF member switch.
  • Page 87 NAS-IP-address : 0.0.0.0 key authentication : 790131 key authorization : 790131 key accounting : 790131 VPN instance Quiet-interval(min) Realtime-accounting-interval(min) : 12 Response-timeout-interval(sec) Acct-stop-PKT retransmit times : 100 Username format : with-domain Data traffic-unit Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 7 Output description Field Description HWTACACS-server template name...
  • Page 88 Slot: 1 ---[HWTACACS template gy primary authentication]--- HWTACACS server open number: 10 HWTACACS server close number: 10 HWTACACS authen client access request packet number: 10 HWTACACS authen client access response packet number: 6 HWTACACS authen client unknown type number: 0 HWTACACS authen client timeout number: 4 HWTACACS authen client packet dropped number: 4 HWTACACS authen client access request change password number: 0...

  • Page 89: Display Stop-Accounting-Buffer (For Hwtacacs)

    HWTACACS account client request network number: 0 HWTACACS account client request system event number: 0 HWTACACS account client request update number: 0 HWTACACS account client response error number: 0 HWTACACS account client round trip time(s): 0 display stop-accounting-buffer (for HWTACACS) Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]...

  • Page 90: Hwtacacs Scheme

    undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] View System view Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the source IP address belongs to.

  • Page 91: Key (Hwtacacs Scheme View)

    View System view Default level 3: Manage level Parameters hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Description Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view. Use the undo hwtacacs scheme command to delete an HWTACACS scheme. By default, no HWTACACS scheme exists.
  • Page 92 Description Use the key command to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use the undo key command to remove the configuration. By default, no shared key is configured. The shared keys configured on the switch must match those configured on the HWTACACS servers. Related commands: display hwtacacs.

  • Page 93: Nas-Ip (Hwtacacs Scheme View)

    nas-ip (HWTACACS scheme view) Syntax nas-ip ip-address undo nas-ip View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source address for outgoing HWTACACS packets.

  • Page 94: Primary Authentication (Hwtacacs Scheme View)

    View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS accounting server, in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.

  • Page 95: Primary Authorization

    View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS authentication server, in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.

  • Page 96: Reset Hwtacacs Statistics

    View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS authorization server, in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.

  • Page 97: Reset Stop-Accounting-Buffer (For Hwtacacs)

    View User view Default level 1: Monitor level Parameters accounting: Clears HWTACACS accounting statistics. all: Clears all HWTACACS statistics. authentication: Clears HWTACACS authentication statistics. authorization: Clears HWTACACS authorization statistics. slot slot-number: Clears HWTACACS statistics for an IRF member switch. The slot-number argument represents the ID of the IRF member switch.

  • Page 98: Retry Stop-Accounting (Hwtacacs Scheme View)

    <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 retry stop-accounting (HWTACACS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View HWTACACS scheme view Default level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, in the range of 1 to 300. Description Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

  • Page 99: Secondary Authentication (Hwtacacs Scheme View)

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary HWTACACS accounting server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use the secondary accounting command to specify the secondary HWTACACS accounting server. Use the undo secondary accounting command to remove the configuration.

  • Page 100: Secondary Authorization

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary HWTACACS authentication server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use the secondary authentication command to specify the secondary HWTACACS authentication server.

  • Page 101: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the secondary HWTACACS authorization server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use the secondary authorization command to specify the secondary HWTACACS authorization server. Use the undo secondary authorization command to remove the configuration.

  • Page 102: Timer Quiet (Hwtacacs Scheme View)

    no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet. Related commands: reset stop-accounting-buffer and display stop-accounting-buffer. Examples # In HWTACACS scheme hwt1, enable the switch to buffer the stop-accounting requests getting no responses.

  • Page 103: Timer Response-Timeout (Hwtacacs Scheme View)

    View HWTACACS scheme view Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60. A value of zero means “Do not send online user accounting information to the HWTACACS server.” Description Use the timer realtime-accounting command to set the real-time accounting interval.

  • Page 104: User-Name-Format (Hwtacacs Scheme View)

    Parameters seconds: HWTACACS server response timeout period in seconds, in the range of 1 to 300. Description Use the timer response-timeout command to set the HWTACACS server response timeout timer. Use the undo timer command to restore the default. By default, the HWTACACS server response timeout time is 5 seconds. HWTACACS is based on TCP.

  • Page 105: Vpn-Instance (Hwtacacs Scheme View)

    Examples # Specify the switch to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain vpn-instance (HWTACACS scheme view) Syntax vpn-instance vpn-instance-name undo vpn-instance View HWTACACS scheme view...

  • Page 106: Description (Radius-Server User View)

    Default level 2: System level Parameters acl acl-number: Specifies the number of an ACL in the range of 2000 to 5999. vlan vlan-id: Specifies the ID of a VLAN in the range of 1 to 4094. Description Use the authorization-attribute command to specify the authorization attributes (ACL and VLAN) that the RADIUS server will assign to the RADIUS client in a response message after the RADIUS user passes RADIUS authentication.

  • Page 107: Expiration-Date (Radius-Server User View)

    [Sysname-rdsuser-user1] description VIP user expiration-date (RADIUS-server user view) Syntax expiration-date time undo expiration-date View RADIUS-server user view Default level 2: System level Parameters time: Expiration time of the RADIUS user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from 0 to 59.
  • Page 108 Default level 2: System level Parameters cipher: Sets and displays the password in cipher text. simple: Sets and displays the password in plain text. password: Password for the RADIUS user, case sensitive. Follow these guidelines: With the cipher keyword specified, the password must be a ciphertext string of 12, 24, 32, 44, 64, •...

  • Page 109: Radius-Server Client-Ip

    [Sysname-rdsuser-user3] password 123456 [Sysname-rdsuser-user3] display this radius-server user3 password cipher xz8n+yXxN+I= return radius-server client-ip Syntax radius-server client-ip ip-address [ key string ] undo radius-server client-ip { ip-address | all } View System view Default level 2: System level Parameters ip-address: IPv4 address of the RADIUS client. key string: Shared key for secure communication with the RADIUS client, a case-sensitive string of 1 to 64 characters.
  • Page 110 View System view Default level 2: System level Parameters user-name: user-name: RADIUS username, a case-sensitive string of 1 to 64 characters that can contain the domain name. It cannot contain question mark (?),less-than sign (<), greater-than sign (>), backward slash (\), quotation mark (“), percent sign (%), apostrophe ('), ampersand (&), number sign (#), or spaces and cannot be a, al, or all.

  • Page 111: 802.1X Configuration Commands

    802.1X configuration commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
  • Page 112 Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: The maximum 802.1X user resource number is 2048 per slot...
  • Page 113 Field Description Handshake Period Handshake timer in seconds Reauth Period Periodic online user re-authentication timer in seconds Quiet Period Quiet timer in seconds Status of the quiet timer. In this example, the quiet timer is Quiet Period Timer is disabled enabled.

  • Page 114: Dot1X

    Field Description EAP Success Packets Number of sent EAP Success packets Fail Packets Number of sent EAP-Failure packets Received EAPOL Start Packets Number of received EAPOL-Start packets EAPOL LogOff Packets Number of received EAPOL-LogOff packets EAP Response/Identity Packets Number of received EAP-Response/Identity packets EAP Response/Challenge Packets Number of received EAP-Response/Challenge packets Error Packets...

  • Page 115: Dot1X Authentication-Method

    802.1X must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not function. You can configure 802.1X parameters either before or after enabling 802.1X. Related commands: display dot1x. Examples # Enable 802.1X for ports Ethernet 1/0/1, and Ethernet 1/0/5 to Ethernet 1/0/7.

  • Page 116: Dot1X Auth-Fail Vlan

    Use the undo dot1x authentication-method command to restore the default. By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. The network access device terminates or relays EAP packets: In EAP termination mode, the access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server.

  • Page 117: Dot1X Domain-Delimiter

    Descriptions Use the dot1x auth-fail vlan command to configure an Auth-Fail VLAN for a port. An Auth-Fail VLAN accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Use the undo dot1x auth-fail vlan command to restore the default.

  • Page 118: Dot1X Guest-Vlan

    By default, the access device supports only the at sign (@) delimiter for 802.1X users. The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the access device will not support the 802.1X users that use @ as the domain name delimiter. If a username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.

  • Page 119: Dot1X Handshake

    You must enable 802.1X for an 802.1X guest VLAN to take effect. To have the 802.1X guest VLAN take effect, complete the following tasks: Enable 802.1X both globally and on the interface. • If the port performs port-based access control, enable the 802.1X multicast trigger function. •...

  • Page 120: Dot1X Handshake Secure

    Use the undo dot1x handshake command to disable the function. By default, the function is enabled. HP recommends that you use the iNode client software to guarantee the normal operation of the online user handshake function. Examples # Enable the online user handshake function.

  • Page 121: Dot1X Mandatory-Domain

    dot1x mandatory-domain Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain View Ethernet interface view Default level 2: System level Parameters domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The specified domain must already exist. Description Use the dot1x mandatory-domain command to specify a mandatory 802.1X authentication domain on a port.

  • Page 122: Dot1X Max-User

    dot1x max-user Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number undo dot1x max-user View System view, Ethernet interface view Default level 2: System level Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port.

  • Page 123: Dot1X Multicast-Trigger

    # Configure Ethernet 1/0/2 through Ethernet 1/0/5 each to support a maximum of 32 concurrent 802.1X users. <Sysname> system-view [Sysname] dot1x max-user 32 interface ethernet 1/0/2 to ethernet 1/0/5 dot1x multicast-trigger Syntax dot1x multicast-trigger undo dot1x multicast-trigger View Ethernet interface view Default level 2: System level Parameters...

  • Page 124: Dot1X Port-Method

    View System view, Ethernet interface view Default level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication. auto: Places the specified or all ports initially in the unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network.

  • Page 125: Dot1X Quiet-Period

    In Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method View System view, Ethernet interface view Default level 2: System level Parameters macbased: Uses MAC-based access control on a port to separately authenticate each user attempting to access the network.

  • Page 126: Dot1X Re-Authenticate

    undo dot1x quiet-period View System view Default level 2: System level Parameters None Description Use the dot1x quiet-period command to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use the undo dot1x quiet-period command to disable the timer.

  • Page 127: Dot1X Retry

    Examples # Enable the 802.1X periodic online user re-authentication function on Ethernet 1/0/1 and set the periodic re-authentication interval to 1800 seconds. <Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] dot1x re-authenticate dot1x retry Syntax dot1x retry max-retry-value undo dot1x retry View System view...

  • Page 128: Dot1X Timer

    dot1x timer Syntax dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period-value server-timeout-value reauth-period server-timeout supp-timeout supp-timeout-value | tx-period tx-period-value } undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period } View System view Default level 2: System level Parameters...

  • Page 129: Dot1X Unicast-Trigger

    Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS • Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server. Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 •...

  • Page 130: Reset Dot1X Statistics

    [Sysname-Ethernet1/0/1] dot1x unicast-trigger reset dot1x statistics Syntax reset dot1x statistics [ interface interface-list ] View User view Default level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &...

  • Page 131: Ead Fast Deployment Configuration Commands

    EAD fast deployment configuration commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } View System view Default level 2: System level Parameters ip-address: Specifies a freely accessible IP address segment, also called "a free IP." mask: Specifies an IP address mask.

  • Page 132: Dot1X Url

    Default level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes, in the range of 1 to 1440. Description Use the dot1x timer ead-timeout command to set the EAD rule timer. Use the undo dot1x timer ead-timeout command to restore the default. By default, the timer is 30 minutes.
  • Page 133 Related commands: display dot1x and dot1x free-ip. Examples # Configure the redirect URL as http://192.168.0.1. <Sysname> system-view [Sysname] dot1x url http://192.168.0.1...

  • Page 134: Mac Authentication Configuration Commands

    MAC authentication configuration commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
  • Page 135 the max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index Ethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 2048 Current online user number is 0...

  • Page 136: Mac-Authentication

    Field Description MAC authentication statistics, including the number of successful Authenticate success: 0, failed: 0 and unsuccessful authentication attempts Maximum number of concurrent online users allowed on the port. Max number of on-line users If MAC authentication is not enabled on the port, the field displays 0.

  • Page 137: Mac-Authentication Domain

    Use the mac-authentication interface interface-list in system view to enable MAC authentication on a list of ports, or the mac-authentication command in interface view to enable MAC authentication on a port. Use the undo mac-authentication command in system view to disable MAC authentication globally. Use the undo mac-authentication interface interface-list in system view to disable MAC authentication on a list of ports, or the undo mac-authentication in interface view to disable MAC authentication on a port.

  • Page 138: Mac-Authentication Guest-Vlan

    The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port. You can specify different authentication domains on different ports. A port chooses an authentication domain for MAC authentication users in this order: port specific domain, global domain, and the default authentication domain.

  • Page 139: Mac-Authentication Max-User

    Related commands: mac-authentication; mac-vlan enable (the Layer 2 LAN Switching Command — Reference). Examples # Configure VLAN 5 as the MAC authentication guest VLAN on port Ethernet 1/0/1. <Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] mac-authentication guest-vlan 5 mac-authentication max-user Syntax mac-authentication max-user user-number undo mac-authentication max-user...

  • Page 140: Mac-Authentication User-Name-Format

    Parameters offline-detect offline-detect-value: Sets the offline detect timer, in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
  • Page 141 The cipher option specifies an encrypted password, which is saved in cipher text. You can input 1 • to 63 characters in plain text, or 24 or 88 characters in cipher text, for the password. If you input no more than 16 characters in plain text, the string is encrypted into a 24-character password. If you input 16 to 63 characters in plain text, the string is encrypted into an 88-character password.

  • Page 142: Reset Mac-Authentication Statistics

    mac-authentication user-name-format fixed account abc password cipher 5Q4$,*^18 N'Q=^Q`MAF4<1!! # Configure a shared account for MAC authentication users: set the username as abc and password as 5Q4$,*^18N'Q=^Q`MAF4<1!!, and display the password in cipher text. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password cipher 5Q4$,*^18 N'Q=^Q`MAF4<1!! # Use MAC-based user accounts for MAC authentication users, and each MAC address must be hyphenated, and in upper case.

  • Page 143: Portal Configuration Commands

    Portal configuration commands display portal acl Syntax display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters all: Displays all portal access control lists (ACLs), including dynamic and static portal ACLs.
  • Page 144 VLAN Protocol Destination: : 192.168.1.15 Mask : 255.255.255.255 Rule 1 Inbound interface : all Type : dynamic Action : permit Source: : 8.8.8.8 Mask : 255.255.255.255 : 0015-e9a6-7cfe Interface : Ethernet1/0/1 VLAN Protocol Destination: : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Rule 2...

  • Page 145: Display Portal Connection Statistics

    Protocol Destination: : 0.0.0.0 Mask : 0.0.0.0 Table 11 Output description Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order Inbound interface Interface to which the portal ACL is bound Type Type of the portal ACL Action Match action in the portal ACL Source...
  • Page 146 begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display portal connection statistics command to display portal connection statistics on a specified interface or all interfaces.
  • Page 147 MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 12 Output description Field Description User state statistics Statistics on portal users State-Name Name of a user state User-Num Number of users in a specific state Message statistics Statistics on messages Msg-Name Message type Total Total number of messages of a specific type...

  • Page 148: Display Portal Free-Rule

    Field Description MSG_ALL_REMOVE All-users-removed message MSG_IFIPADDR_CHANGE Interface IP address change message MSG_SOCKET_CHANGE Socket change message MSG_NOTIFY Notification message MSG_SETPOLICY Set policy message for assigning security ACL MSG_SETPOLICY_RESULT Set policy response message display portal free-rule Syntax display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...

  • Page 149: Display Portal Interface

    Mask : 0.0.0.0 Table 13 Output description Field Description Rule-Number Number of the portal-free rule Source Source information in the portal-free rule Source IP address in the portal-free rule Mask Subnet mask of the source IP address in the portal-free rule Source MAC address in the portal-free rule Interface Source interface in the portal-free rule...

  • Page 150: Display Portal Local-Server

    Portal server: servername Portal backup-group: 1 Authentication type: Direct Authentication domain: my-domain Authentication network: source address : 0.0.0.0 mask : 0.0.0.0 destination address : 2.2.2.0. mask : 255.255.255.0 Table 14 Output description Field Description Interface portal configuration Portal configuration on the interface Status of the portal authentication on the interface: •...

  • Page 151: Display Portal Server

    Description Use the display portal local-server command to display configuration information about the local portal server, including the supported protocol type, and the referenced SSL server policy. Related commands: portal local-server and portal local-server bind. Examples # Display configuration information about the local portal server. <Sysname>...

  • Page 152: Display Portal Server Statistics

    Portal server: 0)aaa: : 192.168.0.111 VPN instance : vpn1 Port : 50100 : portal : http://192.168.0.111 Status : Up Table 16 Output description Field Description Number of the portal server Name of the portal server MPLS L3VPN to which the portal server belongs instance IP address of the portal server Port...
  • Page 153 begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display portal server statistics command to display portal server statistics on a specified interface or all interfaces.

  • Page 154: Display Portal Tcp-Cheat Statistics

    Field Description Challenge acknowledgment message the access device sends to the portal ACK_CHALLENGE server REQ_AUTH Authentication request message the portal server sends to the access device Authentication acknowledgment message the access device sends to the ACK_AUTH portal server REQ_LOGOUT Logout request message the portal server sends to the access device ACK_LOGOUT Logout acknowledgment message the access device sends to the portal server Affirmation message the portal server sends to the access device after...
  • Page 155 Description Use the display portal tcp-cheat statistics command to display TCP spoofing statistics. Examples # Display TCP spoofing statistics. <Sysname> display portal tcp-cheat statistics TCP Cheat Statistic: Total Opens: 0 Resets Connections: 0 Current Opens: 0 Packets Received: 0 Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0...

  • Page 156: Display Portal User

    display portal user Syntax display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression.

  • Page 157: Portal Auth-Fail Vlan

    Table 19 Output description Field Description Index Index of the portal user State Current status of the portal user SubState Current sub-status of the portal user Authorization ACL of the portal user User’s working mode, which can be: • Primary Work-mode •...

  • Page 158: Portal Auth-Network

    Examples # Configure VLAN 5 as the Auth-VLAN of portal authentication on port Ethernet 1/0/1, so that the port will add users failing portal authentication to this VLAN. <Sysname> system-view [Sysname] vlan 5 [Sysname-vlan5] quit [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type hybrid [Sysname-Ethernet1/0/1] mac-vlan enable [Sysname-Ethernet1/0/1] portal auth-fail vlan 5 portal auth-network...

  • Page 159: Portal Backup-Group

    Examples # Configure a portal authentication source subnet of 10.10.10.0/24 on interface VLAN-interface 2 to allow users from subnet 10.10.10.0/24 to trigger portal authentication. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname–Vlan-interface2] portal auth-network 10.10.10.0 24 portal backup-group Syntax portal backup-group group-id undo portal backup-group View VLAN interface view...

  • Page 160: Portal Delete-User

    On the peer device (destination backup device), you must also add the corresponding service backup interface in to portal group 1. portal delete-user Syntax portal delete-user { ip-address | all | interface interface-type interface-number } View System view Default level 2: System level Parameters ip-address: Logs off the user with the specified IP address.

  • Page 161: Portal Free-Rule

    By default, no authentication domain is specified for an interface. Related commands: display portal interface. Examples # Configure the authentication domain to be used for portal users on VLAN-interface 100 as my-domain. <Sysname> system-view [Sysname] interface vlan-interface 100 [Sysname–Vlan-interface100] portal domain my-domain # Configure the authentication domain to be used for portal users on port Ethernet 1/0/1 as my-domain.

  • Page 162: Portal Local-Server

    If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect. You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. When attempted, the system prompts that the rule already exists.

  • Page 163: Portal Local-Server Enable

    If you specify HTTP in this command, the redirection URL for HTTP packets is in the format of http://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTP. If you specify HTTPS in this command, the redirection URL for HTTP packets is in the format of https://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTPS.

  • Page 164: Portal Local-Server Ip

    For normal operation of portal authentication on a Layer 2 port, you must disable portal authentication on all Layer 3 interfaces and HP recommends disabling port security, guest VLAN of 802.1X, and EAD fast deployment of 802.1X on the port. For information about port security and 802.1X features, see Security Configuration Guide.

  • Page 165: Portal Max-User

    [Sysname] portal local-server ip 1.1.1.1 portal max-user Syntax portal max-user max-number undo portal max-user View System view Default level 2: System level Parameters max-number: Specifies the maximum number of online portal users allowed in the system. The value is in the range of 1 to 1024 Description Use the portal max-user command to set the maximum number of online portal users allowed in the...

  • Page 166: Portal Nas-Id-Profile

    user can continue to access the network (without re-authentication) if the following conditions are satisfied: The new port is up. • The original port and the new port belong to the same VLAN. • • The authorization information of the user, if any, is assigned to the new port successfully. If any condition is not satisfied, the device re-authenticates the user on the new port.

  • Page 167: Portal Nas-Ip

    Examples # Specify NAS ID profile aaa for VLAN-interface 2. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] portal nas-id-profile aaa portal nas-ip Syntax portal nas-ip ip-address undo portal nas-ip View VLAN interface view Default level 2: System level Parameters ip-address: Specifies the source IP address to be specified for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

  • Page 168: Portal Offline-Detect Interval

    Parameters ethernet: Specifies the access port type as Ethernet, which corresponds to code 15. wireless: Specifies the access port type as IEEE 802.1 1 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, ensuring that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.

  • Page 169: Portal Redirect-Url

    Examples # Set the online Layer 2 portal user detection interval to 3600 seconds on port Ethernet 1/0/1. <Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] portal offline-detect interval 3600 portal redirect-url Syntax portal redirect-url url-string [ wait-time period ] undo portal redirect-url View System view Default level...

  • Page 170: Portal Server

    Layer 3 interface on the device and must be reachable from the portal clients. In portal stateful failover environments, however, HP recommends specifying the virtual IP address of the VRRP group to which the downlink belongs.

  • Page 171: Portal Server Banner

    For local portal server configuration, the keywords key, port, and url are usually not required and, if configured, will not take effect. Related commands: display portal server. Examples # Configure portal server pts, setting the IP address to 192.168.0.1 1 1, the key to portal, and the redirection URL to http://192.168.0.1 1 1/portal.

  • Page 172: Portal Server Server-Detect

    Default level 2: System level Parameters server-name: Specifies the name of a portal server, a case-sensitive string of 1 to 32 characters. method: Specifies the authentication mode to be used. direct: Specifies direct authentication. layer3: Specifies cross-subnet authentication. redhcp: Specifies re-DHCP authentication. Description Use the portal server method command to enable Layer 3 portal authentication on an interface, and specify the portal server and the authentication mode to be used.
  • Page 173 connection with a portal server can be established, the access device considers that the HTTP service of the portal server is open and the portal server is reachable—the detection succeeds. If the TCP connection cannot be established, the access device considers that the detection fails—the portal server is unreachable.

  • Page 174: Portal Server User-Sync

    If multiple actions are specified, the system executes all the specified actions when the status of a portal server changes. Deleting a portal server on the device deletes the detection function for the portal server. If you configure the detection function for a portal server for multiple times, the last configuration takes effect.

  • Page 175: Portal Web-Proxy Port

    user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server. Use the undo portal server user-sync command to cancel the portal user information synchronization configuration with the specified portal server.

  • Page 176: Reset Portal Connection Statistics

    By default, no web proxy server port number is configured on the device and proxied HTTP requests cannot trigger portal authentication. Up to four web proxy server port numbers can be added. If a user’s browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover web proxy servers, you must add the port numbers of the web proxy servers on the device, and configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

  • Page 177: Reset Portal Server Statistics

    reset portal server statistics Syntax reset portal server statistics { all | interface interface-type interface-number } View User view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Description Use the reset portal server statistics command to clear portal server statistics on a specified interface or all interfaces.

  • Page 178: Port Security Configuration Commands

    Port security configuration commands display port-security Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies Ethernet ports by an Ethernet port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
  • Page 179 RALM logoff trap is enabled RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 Ethernet1/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50...

  • Page 180: Display Port-Security Mac-Address Block

    Field Description Disableport Timeout Silence timeout period of the port that receives illegal packets, in seconds. OUI value List of OUI values allowed Port security mode, which can be one of the following modes: • noRestrictions • autoLearn • macAddressWithRadius •...
  • Page 181 View Any view Default level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094. count: Displays only the count of the blocked MAC addresses. |: Filters command output by specifying a regular expression.

  • Page 182: Display Port-Security Mac-Address Security

    # Display information about all blocked MAC addresses of port Ethernet 1/0/1. <Sysname> display port-security mac-address block interface ethernet1/0/1 MAC ADDR From Port VLAN ID 000f-3d80-0d2d Ethernet1/0/1 --- On slot 1, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port Ethernet 1/0/1 in VLAN 30.
  • Page 183 include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display port-security mac-address security command to display information about secure MAC addresses. Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command.

  • Page 184: Port-Security Authorization Ignore

    Field Description Type of the MAC address added. "Security" means it is a secure MAC STATE address. PORT INDEX Port to which the secure MAC address belongs Period of time before the secure MAC address ages out. "NOAGED" AGING TIME(s) is displayed for secure MAC addresses.

  • Page 185: Port-Security Intrusion-Mode

    Default level 2: System level Parameters None Description Use the port-security enable command to enable port security. Use the undo port-security enable command to disable port security. By default, port security is disabled. You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: 802.1X access control mode is MAC-based, and the port authorization state is auto.

  • Page 186: Port-Security Mac-Address Aging-Type Inactivity

    Description Use the port-security intrusion-mode command to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port. Use the undo port-security intrusion-mode command to restore the default. By default, intrusion protection is disabled. To restore the connection of the port, use the undo shutdown command.

  • Page 187: Port-Security Mac-Address Dynamic

    [Sysname-Ethernet1/0/1] port-security mac-address aging-type inactivity port-security mac-address dynamic Syntax port-security mac-address dynamic undo port-security mac-address dynamic View Layer 2 Ethernet interface view Default level 2: System level Parameters None Description Use the port-security mac-address dynamic command to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file.
  • Page 188 undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] View Layer 2 Ethernet interface view, system view Default level 2: System level Parameters sticky: Specifies a sticky MAC address. If you do not provide this keyword, the command configures a static secure MAC address.

  • Page 189: Port-Security Max-Mac-Count

    <Sysname> system-view [Sysname] port-security enable [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security max-mac-count 100 [Sysname-Ethernet1/0/1] port-security port-mode autolearn [Sysname-Ethernet1/0/1] quit [Sysname] port-security mac-address security 0001-0001-0002 interface ethernet 1/0/1 vlan # Enable port security, set port Ethernet 1/0/1 in autoLearn mode, and add a static secure MAC address 0001-0002-0003 in VLAN 4 in interface view.

  • Page 190: Port-Security Ntk-Mode

    Related commands: display port-security. Examples # Set port security’s limit on the number of MAC addresses to 100 on port Ethernet 1/0/1. <Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security max-mac-count 100 port-security ntk-mode Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode View Ethernet interface view...

  • Page 191: Port-Security Port-Mode

    undo port-security oui index index-value View System view Default level 2: System level Parameters oui-value: Specifies an organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value. index-value: Specifies the OUI index, in the range of 1 to 16.
  • Page 192 Parameters Keyword Security mode Description In this mode, a port can learn MAC addresses, and allows frames sourced from learned or configured the MAC addresses to pass. The dynamically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 193: Port-Security Timer Autolearn Aging

    Keyword Security mode Description Similar to the macAddressOrUserLoginSecure mode except that a userlogin-secure-or macAddressOrUse port in this mode supports multiple 802.1X and MAC -mac-ext rLoginSecureExt authentication users. Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI (organizationally unique identifier).

  • Page 194: Port-Security Timer Disableport

    Default level 2: System level Parameters time-value: Sets the aging timer in minutes for secure MAC addresses. The value is in the range of 0 to 129600. To disable the aging timer, set the timer to 0. Description Use the port-security timer autolearn aging command to set the secure MAC aging timer. The timer applies to all sticky or dynamic secure MAC addresses.

  • Page 195: Port-Security Trap

    [Sysname] port-security timer disableport 30 [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily port-security trap Syntax port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } View System view...
  • Page 196 Examples # Enable MAC address learning traps. <Sysname> system-view [Sysname] port-security trap addresslearned...

  • Page 197: User Profile Configuration Commands

    User profile configuration commands display user-profile Syntax display user-profile [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

  • Page 198: User-Profile Enable

    user-profile enable Syntax user-profile profile-name enable undo user-profile profile-name enable View System view Default level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist.
  • Page 199 Use the undo user-profile command to remove an existing disabled user profile. You cannot remove a user profile that is enabled. By default, no user profiles exist on the device. Related commands: user-profile enable. Examples # Create user profile a123. <Sysname>...

  • Page 200: Habp Configuration Commands

    HABP configuration commands display habp Syntax display habp [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

  • Page 201: Display Habp Table

    display habp table Syntax display habp table [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

  • Page 202: Habp Client Vlan

    Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.

  • Page 203: Habp Enable

    Description Use the habp client vlan command to specify the VLAN to which the HABP client belongs. HABP packets are to be transmitted in this VLAN. Use the undo habp client command to restore the default. By default, an HABP client belongs to VLAN 1. Examples # Specify the HABP client to belong to VLAN 2.

  • Page 204: Habp Timer

    Parameters vlan-id: Specifies the ID of the VLAN in which HABP packets are to be transmitted, in the range of 1 to 4094. Description Use the habp server vlan command to configure HABP to work in server mode and specify the VLAN in which HABP packets are to be transmitted.

  • Page 205: Public Key Configuration Commands

    Public key configuration commands display public-key local public Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair.

  • Page 206: Display Public-Key Peer

    Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2011/03/25 Key name: HOST_KEY Key type: DSA Encryption Key =====================================================...
  • Page 207 Default level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Displays information about a peer public key. publickey-name represents a public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression.

  • Page 208: Peer-Public-Key End

    <Sysname> display public-key peer brief Type Module Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 29 Output description Field Description Type Key type, which can be RSA or DSA. Module Key modulus length in bits Name Name of the public key peer-public-key end Syntax peer-public-key end...

  • Page 209: Public-Key-Code End

    Spaces and carriage returns are allowed between characters. If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.

  • Page 210: Public-Key Local Create

    [Sysname] public-key peer key1 [Sysname-pkey-public-key] public-key-code begin [Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC 8014F82515F6335A0A [Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164 3135877E13B1C531B4 [Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6 B80EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] public-key local create Syntax public-key local create { dsa | rsa } View System view Default level 2: System level Parameters dsa: Specifies a DSA key pair.

  • Page 211: Public-Key Local Destroy

    +++++++ +++++++++ # Create a local DSA key pair. <Sysname> system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.

  • Page 212: Public-Key Local Export Dsa

    public-key local export dsa Syntax public-key local export dsa { openssh | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see Fundamentals Configuration Guide.

  • Page 213: Public-Key Local Export Rsa

    XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOL o2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 dsa-key public-key local export rsa Syntax public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh1: Uses the format of SSH1.5. ssh2: Uses the format of SSH2.0.

  • Page 214: Public-Key Peer

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Default level 2: System level Parameters keyname: Specifies a name for the peer public key on the local device, a case-sensitive string of 1 to 64 characters.
  • Page 215 Default level 2: System level Parameters keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves the peer host public key. For more information about file name, see Fundamentals Configuration Guide. Description Use the public-key peer import sshkey command to import a peer host public key from the public key file.

  • Page 216: Pki Configuration Commands

    PKI configuration commands PKI configuration commands attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value undo attribute { id | all } View Certificate attribute group view...

  • Page 217: Ca Identifier

    Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. <Sysname> system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.

  • Page 218: Certificate Request From

    Default level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use the certificate request entity command to specify the entity for certificate request. Use the undo certificate request entity command to remove the configuration. By default, no entity is specified for certificate request.

  • Page 219: Certificate Request Mode

    certificate request mode Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode View PKI domain view Default level 2: System level Parameters auto: Requests certificates in auto mode. key-length: Length of the RSA keys in bits, in the range of 512 to 2048.

  • Page 220: Certificate Request Url

    Default level 2: System level Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range of 1 to 100. interval minutes: Specifies the polling interval in minutes, in the range of 5 to 168. Description Use the certificate request polling command to specify the certificate request polling interval and attempt limit.

  • Page 221: Common-Name

    Examples # Specify the certificate request URL. <Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request http://169.254.0.100/certsrv/mscep/mscep.dll common-name Syntax common-name name undo common-name View PKI entity view Default level 2: System level Parameters name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included.

  • Page 222: Crl Check

    Description Use the country command to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use the undo country command to remove the configuration. By default, no country code is specified. Examples # Set the country code of an entity to CN.

  • Page 223: Crl Url

    Default level 2: System level Parameters hours: CRL update period in hours, in the range of 1 to 720. Description Use the crl update-period command to set the CRL update period, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use the undo crl update-period command to restore the default.

  • Page 224: Display Pki Certificate

    display pki certificate Syntax display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters ca: Displays the CA certificate. local: Displays the local certificate.

  • Page 225: Display Pki Certificate Access-Control-Policy

    Not Before: Jan 13 08:57:21 2011 GMT Not After : Jan 20 09:07:21 2011 GMT Subject: C=CN ST=Country B L=City Y CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name:...

  • Page 226: Display Pki Certificate Attribute-Group

    Parameters policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters. all: Specifies all certificate attribute-based access control policies. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.

  • Page 227: Display Pki Crl Domain

    include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display pki certificate attribute-group command to display information about certificate attribute groups. Examples # Display information about certificate attribute group mygroup. <Sysname>...
  • Page 228 include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use the display pki crl domain command to display the locally saved CRLs. Related commands: pki domain and pki retrieval-crl. Examples # Display the locally saved CRLs.

  • Page 229: Fqdn

    Field Description Revocation Date Revocation date of the certificate fqdn Syntax fqdn name-str undo fqdn View PKI entity view Default level 2: System level Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters.

  • Page 230: Ldap-Server

    Description Use the ip command to configure the IP address of an entity. Use the undo ip command to remove the configuration. By default, no IP address is specified for an entity. Examples # Configure the IP address of an entity as 1 1.0.0.1. <Sysname>...

  • Page 231: Organization

    Default level 2: System level Parameters locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the locality command to configure the geographical locality of an entity, which can be, for example, a city name.

  • Page 232: Organization-Unit

    organization-unit Syntax organization-unit org-unit-name undo organization-unit View PKI entity view Default level 2: System level Parameters org-unit-name: Organization unit name for distinguishing different units in an organization, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the organization-unit command to specify the name of the organization unit to which this entity belongs.

  • Page 233: Pki Certificate Attribute-Group

    Use the undo pki certificate access-control-policy command to remove certificate attribute-based access control policies. No access control policy exists by default. Examples # Configure an access control policy named mypolicy and enter its view. <Sysname> system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] pki certificate attribute-group Syntax...

  • Page 234: Pki Domain

    Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Name of the PKI domain whose certificates are to be deleted, a string of 1 to 15 characters. Description Use the pki delete-certificate command to delete the certificate locally stored for a PKI domain. Examples # Delete the local certificate for PKI domain cer.

  • Page 235: Pki Import-Certificate

    Default level 2: System level Parameters entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters. Description Use the pki entity command to create a PKI entity and enter its view. Use the undo pki entity command to remove a PKI entity. By default, no entity exists.

  • Page 236: Pki Request-Certificate Domain

    Examples # Import the CA certificate for PKI domain cer in the PEM format. <Sysname> system-view [Sysname] pki import-certificate ca domain cer pem pki request-certificate domain Syntax pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] View System view Default level...

  • Page 237: Pki Retrieval-Certificate

    pki retrieval-certificate Syntax pki retrieval-certificate { ca | local } domain domain-name View System view Default level 2: System level Parameters ca: Retrieves the CA certificate. local: Retrieves the local certificate. domain-name: Name of the PKI domain used for certificate request, a string of 1 to 15 characters. Description Use the pki retrieval-certificate command to retrieve a certificate from the server for certificate distribution.

  • Page 238: Pki Validate-Certificate

    pki validate-certificate Syntax pki validate-certificate { ca | local } domain domain-name View System view Default level 2: System level Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters.

  • Page 239: Rule (Pki Cert Acp View)

    Use the undo root-certificate fingerprint command to remove the configuration. By default, no fingerprint is configured for verifying the validity of the CA root certificate. Examples # Configure an MD5 fingerprint for verifying the validity of the CA root certificate. <Sysname>...

  • Page 240: State

    [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup state Syntax state state-name undo state View PKI entity view Default level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the state command to specify the name of the state or province where an entity resides.

  • Page 241: Ipsec Configuration Commands

    IPsec configuration commands NOTE: The 3600 v2 EI switches support using IPsec for OSPFv3, IPv6 BGP, and RIPng; the 3600 v2 SI switches only support using IPsec for RIPng. ah authentication-algorithm Syntax ah authentication-algorithm { md5 | sha1 } undo ah authentication-algorithm View IPsec proposal view Default level...
  • Page 242 View Any view Default level 1: Monitor level Parameters brief: Displays brief information about all IPsec policies. name: Displays detailed information about a specific IPsec policy or IPsec policy group. policy-name: Name of the IPsec policy, a string of 1 to 15 characters. seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.
  • Page 243 Field Description Local-Address IP address of the local end Remote-Address IP address of the remote end # Display detailed information about all IPsec policies. <Sysname> display ipsec policy =========================================== IPsec Policy Group: "aaa" Interface: =========================================== ----------------------------- IPsec policy name: "aaa" sequence number: 1 mode: manual -----------------------------...

  • Page 244: Display Ipsec Proposal

    Field Description tunnel remote address Remote IP address of the tunnel. proposal name Proposal referenced by the IPsec policy. AH/ESP settings in the inbound/outbound direction, including the inbound/outbound AH/ESP setting SPI and keys. display ipsec proposal Syntax display ipsec proposal [ proposal-name ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...

  • Page 245: Display Ipsec Sa

    Field Description Security protocol(s) used by the IPsec proposal: AH, ESP, or both. If both transform protocols are configured, IPsec uses ESP before AH. AH protocol Authentication algorithm used by AH ESP protocol Authentication algorithm and encryption algorithm used by ESP display ipsec sa Syntax display ipsec sa [ brief | policy policy-name [ seq-number ] ] [ | { begin | exclude | include }...
  • Page 246 Table 37 Output description Field Description Src Address Local IP address Dst Address Remote IP address Security parameter index Protocol Security protocol used by IPsec Authentication algorithm and encryption algorithm used by the security protocol, Algorithm where E indicates the encryption algorithm and A indicates the authentication algorithm.

  • Page 247: Display Ipsec Statistics

    Field Description connection id IPsec tunnel identifier. encapsulation mode Encapsulation mode, transport or tunnel. perfect forward secrecy Whether the perfect forward secrecy feature is enabled. tunnel IPsec tunnel. flow Data flow. inbound Information of the inbound SA. Security parameter index. proposal Security protocol and algorithms used by the IPsec proposal.

  • Page 248: Encapsulation-Mode

    queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0 Table 39 Output description Field Description Connection ID ID of the tunnel input/output security packets Counts of inbound and outbound IPsec protected packets input/output security bytes Counts of inbound and outbound IPsec protected bytes Counts of inbound and outbound IPsec protected packets that are...

  • Page 249: Esp Authentication-Algorithm

    Use the undo encapsulation-mode command to restore the default. By default, a security protocol encapsulates IP packets in tunnel mode. IPsec for IPv6 routing protocols supports only the transport mode. Related commands: ipsec proposal. Examples # Configure IPsec proposal prop2 to encapsulate IP packets in transport mode. <Sysname>...

  • Page 250: Esp Encryption-Algorithm

    esp encryption-algorithm Syntax esp encryption-algorithm { 3des | aes [ key-length ] | des } undo esp encryption-algorithm View IPsec proposal view Default level 2: System level Parameters 3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.

  • Page 251: Ipsec Proposal

    View System view Default level 2: System level Parameters policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included. seq-number: Sequence number for the IPsec policy, in the range of 1 to 65535. manual: Sets up SAs manually.

  • Page 252: Proposal

    Description Use the ipsec proposal command to create an IPsec proposal and enter its view. Use the undo ipsec proposal command to delete an IPsec proposal. By default, no IPsec proposal exists. An IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5 by default.

  • Page 253: Reset Ipsec Sa

    reset ipsec sa Syntax reset ipsec sa [ policy policy-name [ seq-number ] ] View User view Default level 2: System level Parameters policy: Specifies IPsec SAs that use an IPsec policy. policy-name: Name of the IPsec policy, a case-sensitive string of 1 to 15 alphanumeric characters. seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.

  • Page 254: Sa Authentication-Hex

    sa authentication-hex Syntax sa authentication-hex { inbound | outbound } { ah | esp } hex-key undo sa authentication-hex { inbound | outbound } { ah | esp } View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

  • Page 255: Sa Encryption-Hex

    sa encryption-hex Syntax sa encryption-hex { inbound | outbound } esp hex-key undo sa encryption-hex { inbound | outbound } esp View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

  • Page 256: Sa String-Key

    undo sa spi { inbound | outbound } { ah | esp } View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH.
  • Page 257 View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. string-key: Key string for the SA, consisting of 1 to 255 characters.

  • Page 258: Transform

    transform Syntax transform { ah | ah-esp | esp } undo transform View IPsec proposal view Default level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Description Use the transform command to specify a security protocol for an IPsec proposal.

  • Page 259: Ssh2.0 Configuration Commands

    SSH2.0 configuration commands SSH2.0 server configuration commands display ssh server Syntax display ssh server { session | status } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters session: Displays the session information of the SSH server. status: Displays the status information of the SSH server.

  • Page 260: Display Ssh User-Information

    SFTP Server Idle-Timeout: 10 minute(s) Table 40 Output description Field Description SSH Server Whether the SSH server function is enabled SSH protocol version SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.0. SSH authentication-timeout Authentication timeout period SSH server key generating interval...

  • Page 261: Ssh Server Authentication-Retries

    |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 262: Ssh Server Authentication-Timeout

    Default level 3: Manage level Parameters times: Maximum number of authentication attempts, in the range of 1 to 5. Description Use the ssh server authentication-retries command to set the maximum number of SSH connection authentication attempts. Use the undo ssh server authentication-retries command to restore the default. By default, the maximum number of SSH connection authentication attempts is 3.

  • Page 263: Ssh Server Compatible-Ssh1X Enable

    Examples # Set the SSH user authentication timeout period to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 ssh server compatible-ssh1x enable Syntax ssh server compatible-ssh1x enable undo ssh server compatible-ssh1x View System view Default level 3: Manage level Parameters None Description...

  • Page 264: Ssh Server Rekey-Interval

    Description Use the ssh server enable command to enable the SSH server function. Use the undo ssh server enable command to disable the SSH server function. By default, SSH server is disabled. Examples # Enable SSH server. <Sysname> system-view [Sysname] ssh server enable ssh server rekey-interval Syntax ssh server rekey-interval hours...
  • Page 265 ssh user username service-type { all | sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name } undo ssh user username View System view Default level 3: Manage level Parameters username: SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user, which can be one of the following: all: Specifies both secure Telnet and secure FTP.

  • Page 266: Ssh2.0 Client Configuration Commands

    You can change the authentication method and public key of an SSH user when the user is communicating with the SSH server. However, your changes take effect only after the user logs out and logs in again. If an SFTP user has been assigned a public key, it is necessary to set a working folder for the user. The working folder of an SFTP user depends on the user authentication method.

  • Page 267: Display Ssh Server-Info

    Examples # Display the source IP address or source interface of the SSH client. <Sysname> display ssh client source The source IP address you specified is 192.168.0.1 display ssh server-info Syntax display ssh server-info [ | { begin | exclude | include } regular-expression ] View Any view Default level...

  • Page 268: Ssh Client Authentication Server

    Field Description Server public key name Name of the host public key of the server ssh client authentication server Syntax ssh client authentication server server assign publickey keyname undo ssh client authentication server server assign publickey View System view Default level 2: System level Parameters server: IP address or name of the server, a string of 1 to 80 characters.

  • Page 269: Ssh Client Ipv6 Source

    Default level 2: System level Parameters None Description Use the ssh client first-time enable command to enable the first-time authentication function. Use the undo ssh client first-time command to disable the function. By default, the function is enabled. With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client.

  • Page 270: Ssh Client Source

    Related commands: display ssh client source. Examples # Specify the source IPv6 address as 2:2::2:2 for the SSH client. <Sysname> system-view [Sysname] ssh client ipv6 source ipv6 2:2::2:2 ssh client source Syntax ssh client source { ip ip-address | interface interface-type interface-number } undo ssh client source View System view...
  • Page 271 Parameters server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters. port-number: Port number of the server, in the range of 0 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.

  • Page 272: Ssh2 Ipv6

    ssh2 ipv6 Syntax ssh2 ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * View...

  • Page 273: Sftp Server Configuration Commands

    Preferred key exchange algorithm: DH-group1 • Preferred encryption algorithm from server to client: AES128 • Preferred HMAC algorithm from client to server: MD5 • • Preferred HMAC algorithm from server to client: SHA1-96 <Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 SFTP server configuration commands...

  • Page 274: Sftp Client Configuration Commands

    Parameters time-out-value: Timeout period in minutes, in the range of 1 to 35791. Description Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections. Use the undo sftp server idle-timeout command to restore the default. By default, the idle timeout period is 10 minutes.

  • Page 275: Cdup

    Default level 3: Manage level Parameters remote-path: Name of a path on the server. Description Use the cd command to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path. NOTE: You can use the cd ..

  • Page 276: Dir

    Default level 3: Manage level Parameters remote-file&<1- 1 0>: Names of files on the server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use the delete command to delete files from a server. This command functions as the remove command.

  • Page 277: Display Sftp Client Source

    sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx...

  • Page 278: Get

    Default level 3: Manage level Parameters None Description Use the exit command to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server. sftp-client>...
  • Page 279 Default level 3: Manage level Parameters all: Displays a list of all commands. command-name: Name of a command. Description Use the help command to display a list of all commands or the help information of an SFTP client command. With neither the argument nor the keyword specified, the command displays a list of all commands. Examples # Display the help information of the get command.

  • Page 280: Mkdir

    -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 mkdir Syntax mkdir remote-path View SFTP client view Default level...

  • Page 281: Pwd

    Uploading file successfully ended Syntax View SFTP client view Default level 3: Manage level Parameters None Description Use the pwd command to display the current working directory of a remote SFTP server. Examples # Display the current working directory of the remote SFTP server. sftp-client>...

  • Page 282: Remove

    remove Syntax remove remote-file&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-file&<1- 1 0>: Names of files on an SFTP server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use the remove command to delete files from a remote server.

  • Page 283: Rmdir

    rmdir Syntax rmdir remote-path&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-path&<1- 1 0>: Names of directories on the remote SFTP server. &<1- 1 0> means that you can provide up to 10 directory names that are separated by space. Description Use the rmdir command to delete the specified directories from an SFTP server.

  • Page 284: Sftp Client Ipv6 Source

    prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96. md5: HMAC algorithm hmac-md5. • md5-96: HMAC algorithm hmac-md5-96. • • sha1: HMAC algorithm hmac-sha1. sha1-96: HMAC algorithm hmac-sha1-96. • prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange. dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1. •...

  • Page 285: Sftp Client Source

    Description Use the sftp client ipv6 source command to specify the source IPv6 address or source interface for an SFTP client. Use the undo sftp client ipv6 source command to remove the configuration. By default, an SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server.
  • Page 286 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * View User view Default level 3: Manage level Parameters server: IPv6 address or host name of the server, a case-insensitive string of 1 to 46 characters. port-number: Port number of the server, in the range of 0 to 65535.
  • Page 287 <Sysname> sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username:...

  • Page 288: Ssl Configuration Commands

    SSL configuration commands ciphersuite Syntax ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * View SSL server policy view Default level 2: System level Parameters rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.

  • Page 289: Client-Verify Enable

    client-verify enable Syntax client-verify enable undo client-verify enable View SSL server policy view Default level 2: System level Parameters None Description Use the client-verify enable command to configure the SSL server to require the client to pass certificate-based authentication. Use the undo client-verify enable command to restore the default. By default, the SSL server does not require certificate-based SSL client authentication.

  • Page 290: Close-Mode Wait

    Description Use the client-verify weaken command to enable SSL client weak authentication. Use the undo client-verify weaken command to restore the default. By default, SSL client weak authentication is disabled. If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client.

  • Page 291: Display Ssl Client-Policy

    Examples # Set the SSL connection close mode to wait. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] close-mode wait display ssl client-policy Syntax display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] View Any view Default level...

  • Page 292: Display Ssl Server-Policy

    Field Description Server-verify Whether server authentication is enabled for the SSL client policy display ssl server-policy Syntax display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.

  • Page 293: Handshake Timeout

    Table 45 Output description Field Description SSL Server Policy SSL server policy name. PKI Domain PKI domain used by the SSL server policy. Ciphersuite Cipher suites supported by the SSL server policy. Handshake Timeout Handshake timeout time of the SSL server policy, in seconds. Close mode of the SSL server policy, which can be: •...

  • Page 294: Pki-Domain

    pki-domain Syntax pki-domain domain-name undo pki-domain View SSL server policy view, SSL client policy view Default level 2: System level Parameters domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters. Description Use the pki-domain command to specify a PKI domain for an SSL server policy or SSL client policy. Use the undo pki-domain command to restore the default.

  • Page 295: Server-Verify Enable

    rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA. rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA.

  • Page 296: Session

    Examples # Enable certificate-based SSL server authentication. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable session Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * View SSL server policy view Default level 2: System level Parameters...

  • Page 297: Ssl Server-Policy

    undo ssl client-policy { policy-name | all } View System view Default level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be “a”, “al”, or “all”. all: Specifies all SSL client policies. Description Use the ssl client-policy command to create an SSL policy and enter its view.

  • Page 298: Version

    Examples # Create SSL server policy policy1 and enter its view. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] version Syntax version { ssl3.0 | tls1.0 } undo version View SSL client policy view Default level 2: System level Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0.

  • Page 299: Tcp Attack Protection Configuration Commands

    TCP attack protection configuration commands display tcp status Syntax display tcp status [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

  • Page 300: Tcp Syn-Cookie Enable

    tcp syn-cookie enable Syntax tcp syn-cookie enable undo tcp syn-cookie enable View System view Default level 2: System level Parameters None Description Use the tcp syn-cookie enable command to enable the SYN Cookie feature to protect the device against SYN Flood attacks. Use the undo tcp syn-cookie enable command to disable the SYN Cookie feature.

  • Page 301: Ip Source Guard Configuration Commands

    IP source guard configuration commands display ip source binding Syntax display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...

  • Page 302: Display Ipv6 Source Binding

    Total entries found: 3 MAC Address IP Address VLAN Interface Type 040a-0000-4000 10.1.0.9 Eth1/0/1 Static 040a-0000-3000 10.1.0.8 Eth1/0/2 DHCP-SNP 040a-0000-2000 10.1.0.7 Eth1/0/2 DHCP-SNP # Display all static IPv4 source guard binding entries. <Sysname> display ip source binding static Total entries found: 2 MAC Address IP Address VLAN...
  • Page 303 mac-address mac-address: Displays the IPv6 source guard binding entries of an MAC address. The MAC address must be in the format H-H-H. slot slot-number: Displays the IPv6 source guard binding entries on an IRF member switch. The slot-number argument specifies the ID of an IRF member switch. The value range for the argument depends on the number of member switches and their member IDs in the IRF fabric.

  • Page 304: Ip Source Binding

    Field Description Type of the binding entry, including: • Static-IPv6—static IPv6 binding entry Type • DHCPv6-SNP—entry generated based on DHCPv6 snooping entry • ND-SNP—entry generated based on ND snooping entry ip source binding Syntax ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } undo ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address }...

  • Page 305: Ip Verify Source

    ip verify source Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source View Layer 2 Ethernet interface view, VLAN interface view, port group view Default level 2: System level Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port.

  • Page 306: Ipv6 Source Binding

    undo ip verify source max-entries View Layer 2 Ethernet interface view Default level 2: System level Parameters number: Maximum number of IPv4 source guard binding entries allowed on a port. The value is in the range of 0 to 2048. Description Use the ip verify source max-entries command to set the maximum number of static and dynamic IPv4 source guard binding entries on a port.

  • Page 307: Ipv6 Verify Source

    Description Use the ipv6 source binding command to configure a static IPv6 source guard binding entry on a port. Use the undo ipv6 source binding command to delete a static IPv6 source guard binding entry from a port. By default, no static IPv6 binding entry exists on a port. You cannot configure the same static binding entry repeatedly on one port, but you can configure the same static entry on different ports.

  • Page 308: Ipv6 Verify Source Max-Entries

    Related commands: display ipv6 source binding. Examples # Configure dynamic IPv6 binding on Layer 2 Ethernet port Ethernet 1/0/1 to filter IPv6 packets based on the source IPv6 address and MAC address. <Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address ipv6 verify source max-entries Syntax ipv6 verify source max-entries number...

  • Page 309: Arp Attack Protection Configuration Commands

    ARP attack protection configuration commands ARP defense against IP packet attacks configuration commands arp resolving-route enable Syntax arp resolving-route enable undo arp resolving-route enable View System view Default level 2: System level Parameters None Description Use the arp resolving-route enable command to enable ARP black hole routing. Use the undo arp resolving-route enable command to disable the function.

  • Page 310: Arp Source-Suppression Limit

    Description Use the arp source-suppression enable command to enable the ARP source suppression function. Use the undo arp source-suppression enable command to disable the function. By default, the ARP source suppression function is disabled. Related commands: display arp source-suppression. Examples # Enable the ARP source suppression function.

  • Page 311: Arp Packet Rate Limit Configuration Commands

    View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.

  • Page 312: Arp Rate-Limit Information

    Parameters disable: Disables ARP packet rate limit. rate pps: Specifies the ARP packet rate in pps, in the range of 5 to 100. drop: Discards the exceeded packets. Description Use the arp rate-limit command to configure or disable ARP packet rate limit on an interface. Use the undo arp rate-limit command to restore the default.

  • Page 313: Source Mac Address Based Arp Attack Detection Configuration Commands

    Source MAC address based ARP attack detection configuration commands arp anti-attack source-mac Syntax arp anti-attack source-mac { filter | monitor } undo arp anti-attack source-mac [ filter | monitor ] View System view Default level 2: System level Parameters filter: Specifies the filter mode. monitor: Specifies the monitor mode.

  • Page 314: Arp Anti-Attack Source-Mac Exclude-Mac

    View System view Default level 2: System level Parameters time: Specifies the age timer for protected MAC addresses, in the range of 60 to 6000 seconds. Description Use the arp anti-attack source-mac aging-time command to configure the age timer for protected MAC addresses.

  • Page 315: Arp Anti-Attack Source-Mac Threshold

    [Sysname] arp anti-attack source-mac exclude-mac 2-2-2 arp anti-attack source-mac threshold Syntax arp anti-attack source-mac threshold threshold-value undo arp anti-attack source-mac threshold View System view Default level 2: System level Parameters threshold-value: Specifies the threshold for source MAC address based ARP attack detection, in the range of 10 to 100.

  • Page 316: Arp Packet Source Mac Address Consistency Check Configuration Commands

    |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.

  • Page 317: Arp Active Acknowledgement Configuration Commands

    Use the undo arp anti-attack valid-check enable command to restore the default. By default, ARP packet source MAC address consistency check is disabled. Examples # Enable ARP packet source MAC address consistency check. <Sysname> system-view [Sysname] arp anti-attack valid-check enable ARP active acknowledgement configuration commands arp anti-attack active-ack enable...

  • Page 318: Arp Detection Trust

    View VLAN view Default level 2: System level Parameters None Description Use the arp detection enable command to enable ARP detection for the VLAN. Use the undo arp detection enable command to restore the default. By default, ARP detection is disabled for a VLAN. Examples # Enable ARP detection for VLAN 1.

  • Page 319: Arp Detection Validate

    arp detection validate Syntax arp detection validate { dst-mac | ip | src-mac } * undo arp detection validate [ dst-mac | ip | src-mac ] * View System view Default level 2: System level Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

  • Page 320: Display Arp Detection

    Parameters None Description Use the arp restricted-forwarding enable command to enable ARP restricted forwarding. Use the undo arp restricted-forwarding enable command to disable ARP restricted forwarding. By default, ARP restricted forwarding is disabled. Examples # Enable ARP restricted forwarding in VLAN 1. <Sysname>...

  • Page 321: Display Arp Detection Statistics

    display arp detection statistics Syntax display arp detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface interface-type interface-number: Displays the ARP detection statistics of a specified interface. |: Filters command output by specifying a regular expression.

  • Page 322: Reset Arp Detection Statistics

    reset arp detection statistics Syntax reset arp detection statistics [ interface interface-type interface-number ] View User view Default level 1: Monitor level Parameters interface interface-type interface-number: Clears the ARP detection statistics of a specified interface. Description Use the reset arp detection statistics command to clear ARP detection statistics of a specified interface. If no interface is specified, the statistics of all the interfaces will be cleared.

  • Page 323: Arp Scan

    Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the dynamic ARP entries are changed into static, new dynamic ARP entries may be created (suppose the number is M) and some of the dynamic ARP entries may be aged out (suppose the number is N).

  • Page 324: Arp Gateway Protection Configuration Commands

    [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] arp scan # Configure the device to scan a specific address range for neighbors. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20 ARP gateway protection configuration commands arp filter source Syntax arp filter source ip-address undo arp filter source ip-address View...
  • Page 325 undo arp filter binding ip-address View Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default level 2: System level Parameters ip-address: Specifies the permitted sender IP address. mac-address: Specifies the permitted sender MAC address. Description Use the arp filter binding command to configure an ARP filtering entry. If the sender IP and MAC addresses of an ARP packet match an ARP filtering entry, the ARP packet is permitted.

  • Page 326: Nd Attack Defense Configuration Commands

    ND attack defense configuration commands Source MAC consistency check commands ipv6 nd mac-check enable Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable View System view Default level 2: System level Parameters None Description Use the ipv6 nd mac-check enable command to enable source MAC consistency check for ND packets. Use the undo ipv6 nd mac-check enable command to disable source MAC consistency check for ND packets.

  • Page 327: Nd Detection Configuration Commands

    ND detection configuration commands display ipv6 nd detection Syntax display ipv6 nd detection [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, seethe Fundamentals Configuration Guide.

  • Page 328: Display Ipv6 Nd Detection Statistics

    display ipv6 nd detection statistics Syntax display ipv6 nd detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface interface-type interface-number: Displays ND detection statistics for the interface identified by interface-type interface-number.

  • Page 329: Ipv6 Nd Detection Trust

    Default level 2: System level Parameters None Description Use the ipv6 nd detection enable command to enable ND detection in a VLAN to check ND packets for source spoofing. Use the undo ipv6 nd detection enable command to disable ND detection. By default, ND detection is disabled.

  • Page 330: Reset Ipv6 Nd Detection Statistics

    <Sysname> system-view [Sysname] interface bridge-Aggregation 1 [Sysname-Bridge-Aggregation1] ipv6 nd detection trust reset ipv6 nd detection statistics Syntax reset ipv6 nd detection statistics [ interface interface-type interface-number ] View User view Default level 1: Monitor level Parameters interface interface-type interface-number: Clears the statistics of the interface identified by interface-type interface-number.

  • Page 331: Urpf Configuration Commands

    URPF configuration commands NOTE: router The term in this document refers to both routers and Layer 3 switches. ip urpf Syntax ip urpf { loose | strict } undo ip urpf View System view Default level 2: System level Parameters loose: Specifies loose URPF check.

  • Page 332: Mff Configuration Commands

    MFF configuration commands display mac-forced-forwarding interface Syntax display mac-forced-forwarding interface [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
  • Page 333 View Any view Default level 1: Monitor level Parameters vlan-id: VLAN ID. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.

  • Page 334: Mac-Forced-Forwarding

    mac-forced-forwarding Syntax mac-forced-forwarding { auto | default-gateway gateway-ip } undo mac-forced-forwarding View VLAN view Default level 2: System level Parameters auto: Specifies the automatic mode. default-gateway gateway-ip: Specifies the IP address of the default gateway in the manual mode. Description Use the mac-forced-forwarding command to enable MFF and specify an MFF operating mode.

  • Page 335: Mac-Forced-Forwarding Network-Port

    Parameters None Description Use the mac-forced-forwarding gateway probe command to enable periodic gateway MAC address probe. The probe interval is 30 seconds, and the probe mode can be manual or automatic. Use the undo mac-forced-forwarding gateway probe command to restore the default. By default, periodic gateway MAC address probe is disabled.

  • Page 336: Mac-Forced-Forwarding Server

    <Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] mac-forced-forwarding network-port mac-forced-forwarding server Syntax mac-forced-forwarding server server-ip&<1- 1 0> undo mac-forced-forwarding server [ server-ip&<1- 1 0> ] View VLAN view Default level 2: System level Parameters server-ip&<1- 1 0>: Specifies the IP address of a server in the network. &<1- 1 0> means you can specify up to ten server IP addresses in one command line.

  • Page 337: Savi Configuration Commands

    SAVI configuration commands ipv6 savi dad-delay Syntax ipv6 savi dad-delay value undo ipv6 savi dad-delay View System view Default level 2: System level Parameters value: Specifies the time (in centiseconds) to wait for a duplicate address detection (DAD) NA, ranging from 0 to 2147483647.

  • Page 338: Ipv6 Savi Strict

    Description Use the ipv6 savi dad-preparedelay command to set the time to wait for a DAD NS from a DHCPv6 client. Use the undo ipv6 savi dad-preparedelay command to restore the default. By default, the time to wait for a DAD NS from a DHCPv6 client is 100 centiseconds (1 second). This command is used with the DHCPv6 snooping function.

  • Page 339: Blacklist Configuration Commands

    Blacklist configuration commands blacklist enable Syntax blacklist enable undo blacklist enable View System view Default level 2: System level Parameters None Description Use the blacklist enable command to enable the blacklist feature. With the blacklist feature enabled, the switch filters all packets from IP addresses on the blacklist. Use the undo blacklist enable command to restore the default.

  • Page 340: Display Blacklist

    all: Specifies all blacklist entries. timeout minutes: Specifies the aging time for the entry in minutes, in the range of 1 to 1000. If you do not specify this option, the entry does not age and is always effective, unless you manually remove it. Description Use the blacklist ip command to add a blacklist entry.
  • Page 341 Description Use the display blacklist command to display blacklist information. Related commands: blacklist enable and blacklist ip. Examples # Display information about all blacklist entries. <Sysname> display blacklist all Blacklist information ------------------------------------------------------------------------------ Blacklist : enabled Blacklist items ------------------------------------------------------------------------------ Type Aging started Aging finished Dropped packets YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss...

  • Page 342: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals • For related documentation, navigate to the Networking section, and select a networking category.

  • Page 343: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 344 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 345: Index

    Index A B C D E F G H I K L M N O P Q R S T U V authorization command,1 1 authorization default,1 1 aaa nas-id profile,1 authorization lan-access,12 access-limit,26 authorization login,13 access-limit enable,1 authorization portal,14 accounting command,2 authorization-attribute (local user view/user group...
  • Page 346 description (RADIUS-server user view),96 display radius statistics,44 dir,266 display sftp client source,267 display arp anti-attack source-mac,305 display ssh client source,256 display arp detection,310 display ssh server,249 display arp detection statistics,31 1 display ssh server-info,257 display arp source-suppression,300 display ssh user-information,250 display blacklist,330 display ssl...
  • Page 347 mac-authentication domain,127 mac-authentication guest-vlan,128 get,268 mac-authentication max-user,129 group,33 mac-authentication timer,129 group-attribute allow-guest,33 mac-authentication user-name-format,130 mac-forced-forwarding,324 habp client vlan,192 mac-forced-forwarding gateway probe,324 habp enable,193 mac-forced-forwarding network-port,325 habp server vlan,193 mac-forced-forwarding server,326 habp timer,194 mkdir,270 handshake timeout,283 help,268 device-id,50 hwtacacs nas-ip,79 nas-backup-ip,51 hwtacacs scheme,80 nas-id bind...
  • Page 348 portal max-user,155 quit,271 portal move-mode auto,155 portal nas-id-profile,156 radius client,56 portal nas-ip,157 radius nas-backup-ip,56 portal nas-port-type,157 radius nas-ip,57 portal offline-detect interval,158 radius scheme,58 portal redirect-url,159 radius trap,59 portal server,160 radius-server client-ip,99 portal server banner,161 radius-server user,99 portal server method,161 remove,272 portal server server-detect,162 rename,272...
  • Page 349 server-type,68 state secondary,69 server-verify enable,285 stop-accounting-buffer enable (HWTACACS scheme view),91 service-type,36 stop-accounting-buffer enable (RADIUS scheme session,286 view),70 sftp,273 sftp client ipv6 source,274 sftp client source,275 tcp syn-cookie enable,290 sftp ipv6,275 timer quiet (HWTACACS scheme view),92 sftp server enable,263 timer quiet (RADIUS scheme view),71 sftp server idle-timeout,263...

Table of Contents