HPE FlexNetwork 10500 Series Security Command Reference

Hide thumbs Also See for FlexNetwork 10500 Series:

page of 881

/ 881
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual See also: Troubleshooting Manual, Configuration Manual

HPE FlexNetwork 10500 Switch Series

Security Command Reference

Part number: 5200-1909a

Software version: 10500-CMW710-R7557P01

Document version: 6W101-20171020

Table of Contents

Summary of Contents for HPE FlexNetwork 10500 Series

Page 1 HPE FlexNetwork 10500 Switch Series Security Command Reference Part number: 5200-1909a Software version: 10500-CMW710-R7557P01 Document version: 6W101-20171020...
Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents AAA commands ····························································································· 1 General AAA commands···································································································································· 1 aaa nas-id profile ········································································································································ 1 aaa session-limit ········································································································································ 2 accounting command ································································································································· 2 accounting default ······································································································································ 3 accounting dual-stack ································································································································ 4 accounting lan-access ································································································································ 5 accounting login ········································································································································· 7 accounting portal ········································································································································ 8 accounting quota-out··································································································································...
Page 4 sponsor-department ································································································································· 61 sponsor-email ··········································································································································· 61 sponsor-full-name ···································································································································· 62 state (local user view) ······························································································································ 62 user-group ················································································································································ 63 validity-datetime ······································································································································· 64 RADIUS commands ········································································································································· 65 aaa device-id ············································································································································ 65 accounting-on enable ······························································································································· 66 accounting-on extended ··························································································································· 66 attribute 15 check-mode ··························································································································· 67 attribute 25 car ·········································································································································...
Page 5 primary accounting (HWTACACS scheme view) ··················································································· 125 primary authentication (HWTACACS scheme view) ·············································································· 126 primary authorization ······························································································································ 128 reset hwtacacs statistics ························································································································ 129 reset stop-accounting-buffer (for HWTACACS) ····················································································· 130 retry stop-accounting (HWTACACS scheme view) ················································································ 130 secondary accounting (HWTACACS scheme view) ·············································································· 131 secondary authentication (HWTACACS scheme view) ·········································································...
Page 6 dot1x handshake ···································································································································· 184 dot1x handshake reply enable ··············································································································· 185 dot1x handshake secure ························································································································ 185 dot1x mac-binding ·································································································································· 186 dot1x mac-binding enable ······················································································································ 187 dot1x mandatory-domain ······················································································································· 188 dot1x max-user ······································································································································ 189 dot1x multicast-trigger ···························································································································· 189 dot1x port-control ··································································································································· 190 dot1x port-method ··································································································································...
Page 7 display portal rule ··································································································································· 241 display portal server ······························································································································· 245 display portal user ·································································································································· 246 display portal web-server ······················································································································· 253 display web-redirect rule ························································································································ 254 if-match ·················································································································································· 256 ip (MAC binding server view) ················································································································· 258 ip (portal authentication server view) ····································································································· 259 ipv6 ·························································································································································...
Page 8 display port-security mac-address security ···························································································· 311 port-security access-user log enable ····································································································· 312 port-security authentication open ··········································································································· 313 port-security authentication open global ································································································ 314 port-security authorization ignore ··········································································································· 315 port-security authorization-fail offline ····································································································· 315 port-security enable ································································································································ 316 port-security free-vlan ···························································································································· 317 port-security intrusion-mode ···················································································································...
Page 9 public-key local destroy ·························································································································· 373 public-key local export dsa ····················································································································· 375 public-key local export ecdsa ················································································································· 377 public-key local export rsa ······················································································································ 378 public-key peer ······································································································································· 380 public-key peer import sshkey················································································································ 381 PKI commands ·························································································· 383 attribute ·················································································································································· 383 ca identifier ············································································································································· 384 certificate request entity ·························································································································...
Page 10 encapsulation-mode ······························································································································· 458 esn enable ·············································································································································· 459 esp authentication-algorithm ·················································································································· 460 esp encryption-algorithm ························································································································ 461 ike-profile ················································································································································ 463 ikev2-profile ············································································································································ 463 ipsec { ipv6-policy | policy } ···················································································································· 464 ipsec { ipv6-policy | policy } isakmp template ························································································· 465 ipsec anti-replay check ··························································································································· 468 ipsec anti-replay window ························································································································...
Page 11 ike keepalive interval ······························································································································ 517 ike keepalive timeout ······························································································································ 518 ike keychain ··········································································································································· 519 ike limit ··················································································································································· 520 ike nat-keepalive ···································································································································· 520 ike profile ················································································································································ 521 ike proposal ············································································································································ 522 ike signature-identity from-certificate ····································································································· 523 inside-vpn ··············································································································································· 523 keychain ················································································································································· 524 local-identity ···········································································································································...
Page 12 priority (IKEv2 profile view) ···················································································································· 576 proposal ················································································································································· 576 reset ikev2 sa ········································································································································· 577 reset ikev2 statistics ······························································································································· 578 sa duration ············································································································································· 579 SSH commands ························································································· 580 SSH server commands ·································································································································· 580 display ssh server ·································································································································· 580 display ssh user-information ·················································································································· 581 free ssh ··················································································································································...
Page 13 ssh2 ipv6 suite-b ···································································································································· 635 ssh2 suite-b ············································································································································ 637 SSH2 commands ··········································································································································· 639 display ssh2 algorithm ···························································································································· 639 ssh2 algorithm cipher ····························································································································· 640 ssh2 algorithm key-exchange ················································································································ 641 ssh2 algorithm mac ································································································································ 642 ssh2 algorithm public-key ······················································································································· 643 SSL commands ························································································· 645 ciphersuite ··············································································································································...
Page 14 exempt acl ·············································································································································· 701 fin-flood action ········································································································································ 702 fin-flood detect ········································································································································ 703 fin-flood detect non-specific ··················································································································· 704 fin-flood threshold ··································································································································· 704 http-flood action ······································································································································ 705 http-flood detect ····································································································································· 706 http-flood detect non-specific ················································································································· 707 http-flood port ········································································································································· 708 http-flood threshold ································································································································ 709 icmp-flood action ····································································································································...
Page 15 ARP attack protection commands ······························································ 756 Unresolvable IP attack protection commands ································································································ 756 arp resolving-route enable ····················································································································· 756 arp resolving-route probe-count ············································································································· 756 arp resolving-route probe-interval ·········································································································· 757 arp source-suppression enable ·············································································································· 758 arp source-suppression limit ·················································································································· 758 display arp source-suppression ············································································································· 759 ARP packet rate limit commands ···················································································································...
Page 16 if-match hop-limit ···································································································································· 787 if-match prefix ········································································································································· 788 if-match router-preference ······················································································································ 789 ipv6 nd raguard apply policy ·················································································································· 790 ipv6 nd raguard log enable····················································································································· 790 ipv6 nd raguard policy ···························································································································· 791 ipv6 nd raguard role ······························································································································· 792 reset ipv6 nd raguard statistics ·············································································································· 793 IPv4 uRPF commands ···············································································...
Page 17 Web authentication commands ·································································· 837 display web-auth ···································································································································· 837 display web-auth free-ip ························································································································· 838 display web-auth server ························································································································· 838 display web-auth user ···························································································································· 839 ip ···························································································································································· 840 redirect-wait-time ···································································································································· 841 url ··························································································································································· 842 url-parameter ·········································································································································· 843 web-auth auth-fail vlan ··························································································································· 844 web-auth domain ····································································································································...
Page 18: Aaa Commands
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa nas-id profile Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
Page 19: Aaa Session-Limit
aaa session-limit Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. Syntax In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } max-sessions...
Page 20: Accounting Default
Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting methods of the ISP domain are used for command line accounting. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 21: Accounting Dual-Stack
accounting default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting default Default The default accounting method of an ISP domain is local. Views ISP domain view Predefined user roles network-admin mdc-admin...
Page 22: Accounting Lan-Access
Use undo accounting dual-stack to restore the default. Syntax accounting dual-stack { merge | separate } undo accounting dual-stack Default The merge method applies. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters merge: Merges IPv4 data with IPv6 data for accounting. separate: Separates IPv4 data from IPv6 data for accounting.
Page 23 Predefined user roles network-admin mdc-admin Parameters broadcast: Broadcasts accounting requests to servers in RADIUS schemes. radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 24: Accounting Login
Related commands accounting default local-user radius scheme accounting login Use accounting login to specify accounting methods for login users. Use undo accounting login to restore the default. Syntax In non-FIPS mode: accounting login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode:...
Page 25: Accounting Portal
Examples # In ISP domain test, perform local accounting for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting login local # In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup. <Sysname>...
Page 26: Accounting Quota-Out
local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Page 27: Accounting Start-Fail
Syntax accounting quota-out { offline | online } undo accounting quota-out Default The device logs off users that have used up their data quotas. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters offline: Logs off users that have used up their data quotas. online: Allows users that have used up their data quotas to stay online.
Page 28: Accounting Update-Fail
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting start-fail online accounting update-fail Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts. Use undo accounting update-fail to restore the default. Syntax accounting update-fail { [ max-times max-times ] offline | online } undo accounting update-fail Default The device allows users that have failed all their accounting-update attempts to stay online.
Page 29 authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Predefined user roles...
Page 30: Authentication Lan-Access
authentication lan-access Use authentication lan-access to specify authentication methods for LAN users. Use undo authentication lan-access to restore the default. Syntax In non-FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode:...
Page 31: Authentication Login
[Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands authentication default hwtacacs scheme ldap scheme local-user radius scheme authentication login Use authentication login to specify authentication methods for login users. Use undo authentication login to restore the default. Syntax In non-FIPS mode: authentication...
Page 32: Authentication Portal
Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Page 33: Authentication Super
Predefined user roles network-admin mdc-admin Parameters ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 34: Authorization Command
Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication.
Page 35 Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role.
Page 36: Authorization Default
authorization default Use authorization default to specify default authorization methods for an ISP domain. Use undo authorization default to restore the default. Syntax In non-FIPS mode: authorization default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default In FIPS mode:...
Page 37: Authorization Lan-Access
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid.
Page 38: Authorization Login
Usage guidelines The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization).
Page 39: Authorization Portal
Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: •...
Page 40 Use undo authorization portal to restore the default. Syntax In non-FIPS mode: authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization portal In FIPS mode: authorization portal { local | radius-scheme radius-scheme-name [ local ] } undo authorization portal Default The default authorization methods of the ISP domain are used for portal users.
Page 41: Authorization-Attribute (Isp Domain View)
local-user radius scheme authorization-attribute (ISP domain view) Use authorization-attribute to configure authorization attributes for users in an ISP domain. Use undo authorization-attribute to restore the default of an authorization attribute. Syntax authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minutes [ flow ] [ traffic { both | inbound | outbound } ] | igmp max-access-number max-access-number...
Page 42: Display Domain
traffic: Specifies the traffic direction for the idle cut feature. If you do not specify this keyword, the idle cut feature applies to both traffic directions. both: Specifies both traffic directions. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently.
Page 43 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Page 44 Idle cut : Enabled Idle timeout: 2 minutes Flow: 10240 bytes Traffic direction: Both IP pool: appy Inbound CAR: CIR 64000 bps PIR 640000 bps Outbound CAR: CIR 64000 bps PIR 640000 bps ACL number: 3000 User group: ugg IPv6 pool: ipv6pool URL: http://test IGMP access number: 4 MLD access number: 4...
Page 45 Field Description Access control for users that encounter accounting-start failures: • Online—Allows the users to stay online. Accounting start failure action • Offline—Logs off the users. Maximum number of consecutive accounting-update failures Accounting update failure max-times allowed by the device for each user in the domain. Access control for users that have failed all their accounting-update attempts: Accounting update failure action...
Page 46: Domain
Field Description ACL number Authorization ACL for users. User group Authorization user group for users. IPv6 pool Name of the authorization IPv6 address pool for users. Authorization redirect URL for users. Maximum number of IGMP groups that an IPv4 user is authorized IGMP max access number to join concurrently.
Page 47: Domain Default Enable
Examples # Create an ISP domain named test and enter ISP domain view. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] Related commands display domain domain default enable domain if-unknown state (ISP domain view) domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.
Page 48: Domain If-Unknown
domain domain if-unknown Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains. Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-name undo domain if-unknown Default No ISP domain is specified to accommodate users that are assigned to nonexistent domains. Views System view Predefined user roles...
Page 49: Nas-Id Bind Vlan
nas-id bind vlan Use nas-id bind vlan to bind a NAS-ID with a VLAN. Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id Default No NAS-ID and VLAN bindings exist. Views NAS-ID profile view Predefined user roles...
Page 50: Session-Time Include-Idle-Time
Predefined user roles network-admin mdc-admin Parameters hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through 802.1X. stb: Specifies the Set Top Box (STB) service. This service is applicable to users that access the network through STB.
Page 51: State (Isp Domain View)
Usage guidelines Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. Typically, the idle timeout period is assigned by the authorization server after users pass authentication. For portal users, the idle timeout period set for the online portal user detection feature takes priority over the server-assigned idle timeout period.
Page 52: User-Address-Type
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. However, the online users are not affected. Examples # Place ISP domain test in blocked state. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Related commands display domain user-address-type...
Page 53: Local User Commands
Related commands display domain Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default. Syntax access-limit max-user-number undo access-limit Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles...
Page 54 Syntax authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | user-role role-name | vlan vlan-id | work-directory directory-name } * undo authorization-attribute { acl | idle-cut | ip-pool | ipv6-pool | session-timeout | user-role role-name | vlan | work-directory } * Default The working directory for FTP, SFTP, and SCP users is the root directory of the NAS.
Page 55 For LAN users, only the following authorization attributes are effective: acl, session-timeout, and vlan. For Telnet and terminal users, only the authorization attributes idle-cut, user-role, and work-directory are effective. For HTTP and HTTPS users, only the authorization attribute user-role is effective. For SSH and FTP users, only the authorization attributes idle-cut, user-role, and work-directory are effective.
Page 56: Bind-Attribute
bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } * undo bind-attribute { ip | location | mac | vlan } * Default No binding attributes are configured for a local user.
Page 57: Company
• If the user is a portal user, specify the portal-enabled interface. Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured. Examples # Bind IP address 3.3.3.3 with network access user abc. <Sysname>...
Page 58: Display Local-User
Default No description is configured for a network access user. Views Network access user view Predefined user roles network-admin mdc-admin Parameters text: Configures a description, case-sensitive string of 1 to 255 characters. Examples # Configure a description for network access user 123. <Sysname>...
Page 59 lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users. portal: Portal users. ssh: SSH users. telnet: Telnet users. terminal: Terminal users that log in through console ports. state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
Page 60 User role list: network-operator, level-0, level-3 Description: A network access user from company cc Validity period: Start date and time: 2016/01/01-00:01:01 Expiration date and time: 2017/01/01-01:01:01 Network access guest user1: State: Active Service type: LAN-access/Portal User group: guest1 Full name: Jack Company: Email:...
Page 61: Display User-Group
Field Description User role list Authorized roles of the local user. IP pool IPv4 address pool authorized to the local user. IPv6 pool IPv6 address pool authorized to the local user. Password control configurations Password control attributes that are configured for the local user. Password aging Password expiration time.
Page 62 network-operator mdc-admin mdc-operator Parameters all: Specifies all user groups. name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Examples # Display the configuration of all user groups. <Sysname> display user-group all Total 2 user groups matched. User group: system Authorization attributes: Work directory:...
Page 63: Email
Field Description Password complexity checking policy: • Reject a password that contains the username or the reverse of Password complexity the username. • Reject a password that contains any character repeated consecutively three or more times. Maximum login attempts Maximum number of consecutive failed login attempts. Action for exceeding login Action to take on the user that failed to log in after using up all login attempts...
Page 64: Group
Syntax full-name name-string undo full-name Default No name is configured for a local guest. Views Local guest view Predefined user roles network-admin mdc-admin Parameters name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters. Examples # Configure the name as abc Snow for local guest abc. <Sysname>...
Page 65: Local-Guest Email Format
Related commands display local-user local-guest email format Use local-guest email format to configure the subject and body for the email notifications of local guest information. Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.
Page 66: Local-Guest Email Sender
local-guest send-email local-guest email sender Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device. Use undo local-guest email sender to restore the default. Syntax local-guest email sender email-address undo local-guest email sender Default No email sender address is configured for the email notifications of local guests sent by the device.
Page 67: Local-Guest Generate
Views System view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect.
Page 68: Local-Guest Send-Email
count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256. validity-datetime: Specifies the validity period of the local guests. start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD.
Page 69: Local-User
mdc-admin Parameters user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements: • Cannot contain a domain name. • Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
Page 70: Local-User Auto-Delete Enable
• Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@). • Cannot be a, al, or all. class: Specifies the local user type.
Page 71: Local-User-Export
Syntax local-user auto-delete enable undo local-user auto-delete enable Default The local user auto-delete feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete expired local users.
Page 72: Local-User-Import
The device supports TFTP and FTP file transfer modes. Table 4 describes the valid URL formats of the .csv file. Table 4 URL formats Protocol URL format Description Specify a TFTP server by IP address or TFTP tftp://server/path/filename hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.
Page 73 start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional.
Page 74: Password (Device Management User View)
Table 5 URL formats Protocol URL format Description Specify a TFTP server by IP address or TFTP tftp://server/path/filename hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. • Specify an FTP server by IP address or With user name hostname. password: ftp://username:password@serve The device ignores the domain name in the...
Page 75: Password (Network Access User View)
Parameters hash: Specifies a password encrypted by the hash algorithm. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password string. This argument is case sensitive. •...
Page 76: Phone
Predefined user roles network-admin mdc-admin Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Page 77: Service-Type (Local User View)
Related commands display local-user service-type (local user view) Use service-type to specify the service types that a local user can use. Use undo service-type to remove service types configured for a local user. Syntax In non-FIPS mode: service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal } undo service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal } In FIPS mode: service-type { lan-access | { https | ssh | terminal } * | portal }...
Page 78: Sponsor-Department
Related commands display local-user sponsor-department Use sponsor-department to specify the department of the guest sponsor for a local guest. Use undo sponsor-department to restore the default. Syntax sponsor-department department-string undo sponsor-department Default No department is specified for the guest sponsor of a local guest. Views Local guest view Predefined user roles...
Page 79: Sponsor-Full-Name
Parameters email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822. Examples # Specify the email address as Sam@a.com for the guest sponsor of local guest abc. <Sysname> system-view [Sysname] local-user abc class network guest [Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com Related commands display local-user...
Page 80: User-Group
Default A local user is in active state. Views Local user view Predefined user roles network-admin mdc-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
Page 81: Validity-Datetime
You can modify settings for the system-defined user group named system, but you cannot delete the user group. Examples # Create a user group named abc and enter user group view. <Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] Related commands display user-group validity-datetime Use validity-datetime to specify the validity period for a network access user.
Page 82: Radius Commands
Usage guidelines Expired network access user accounts cannot be used for authentication. When both from and to options are specified, the expiration date and time must be later than the validity start date and time. When only the from option is specified, the user is valid since the specified date and time. When only the to option is specified, the user is valid until the specified date and time.
Page 83: Accounting-On Enable
Examples # Configure the device ID as 1. <Sysname> system-view [Sysname] aaa device-id 1 accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to disable the accounting-on feature. Syntax accounting-on enable [ interval interval | send send-times ] * undo accounting-on enable Default The accounting-on feature is disabled.
Page 84: Attribute 15 Check-Mode
Use undo accounting-on extended to disable the extended accounting-on feature. Syntax accounting-on extended undo accounting-on extended Default The extended accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture.
Page 85: Attribute 25 Car
Syntax attribute 15 check-mode { loose | strict } undo attribute 15 check-mode Default The strict check method applies for SSH, FTP, and terminal users. Views RADIUS scheme view Predefined user roles network-admin mdc-admin Parameters loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
Page 86: Attribute 31 Mac-Format
Usage guidelines Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control. Examples # In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
Page 87: Attribute Convert (Radius Das View)
[Sysname] radius scheme radius1 [Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase Related commands display radius scheme attribute convert (RADIUS DAS view) Use attribute convert to configure a RADIUS attribute conversion rule. Use undo attribute convert to delete RADIUS attribute conversion rules. Syntax attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } undo attribute convert [ src-attr-name ]...
Page 88: Attribute Convert (Radius Scheme View)
Examples # In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Ab-Server-String attribute in the received DAE packets with the Cd-User-Roles attribute. <Sysname> system-view [Sysname] radius dynamic-author server [Sysname-radius-da-server] attribute convert Ab-Server-String to Cd-User-Roles received Related commands attribute translate attribute convert (RADIUS scheme view) Use attribute convert to configure a RADIUS attribute conversion rule.
Page 89: Attribute Reject (Radius Das View)
• A source RADIUS attribute can be converted only by one criterion, packet type or direction. • One source RADIUS attribute cannot be converted to multiple destination attributes. If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Page 90: Attribute Reject (Radius Scheme View)
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules. Examples # In RADIUS DAS view, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the DAE packets to be sent. <Sysname>...
Page 91: Attribute Remanent-Volume
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules. Examples # In RADIUS scheme radius1, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the RADIUS packets to be sent. <Sysname>...
Page 92: Attribute Translate
attribute translate Use attribute translate to enable the RADIUS attribute translation feature. Use undo attribute translate to disable the RADIUS attribute translation feature. Syntax attribute translate undo attribute translate Default The RADIUS attribute translation feature is disabled. Views RADIUS DAS view RADIUS scheme view Predefined user roles network-admin...
Page 93: Data-Flow-Format (Radius Scheme View)
Views RADIUS DAS view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies a DAC by its IPv4 address. ipv6 ipv6-address: Specifies a DAC by its IPv6 address. key: Specifies the shared key for secure communication between the RADIUS DAC and server. Make sure the shared key is the same as the key configured on the RADIUS DAC.
Page 94: Display Radius Scheme
Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets. Views RADIUS scheme view Predefined user roles...
Page 95 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes. Examples # Display the configuration of all RADIUS schemes.
Page 96 retransmission times retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(seconds) : 22 Stop-accounting packets buffering : Enabled Retransmission times : 500 NAS IP Address : 1.1.1.1 : Not configured User Name Format : with-domain Data flow unit...
Page 97 Field Description Probe username Username used for RADIUS server status detection. Probe interval Server status detection interval, in minutes. Weight Weight value of the RADIUS server. Accounting-On function Whether the accounting-on feature is enabled. extended function Whether the extended accounting-on feature is enabled. retransmission times Number of accounting-on packet transmission attempts.
Page 98: Display Radius Statistics
display radius statistics Use display radius statistics to display RADIUS packet statistics. Syntax display radius statistics Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display RADIUS packet statistics. <Sysname> display radius statistics Auth. Acct. SessCtrl. Request Packet: Retry Packet: Timeout Packet: Access Challenge:...
Page 99: Display Stop-Accounting-Buffer (For Radius)
Field Description Account Update Number of accounting update packets. Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received. Packet Without Response Number of packets for which no responses were received.
Page 100: Key (Radius Scheme View)
Scheme Session ID Username First sending time Attempts rad1 1000326232325010 23:27:16-08/31/2015 1000326232326010 23:33:01-08/31/2015 Table 8 Command output Field Description First sending time Time when the stop-accounting request was first sent. Number of attempts that were made to send the stop-accounting Attempts request.
Page 101: Nas-Ip (Radius Scheme View)
• In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured by using this command apply to all servers in the scheme.
Page 102: Port
• If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet. • If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
Page 103: Primary Accounting (Radius Scheme View)
Usage guidelines The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS. Examples # Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests. <Sysname> system-view [Sysname] radius dynamic-author server [Sysname-radius-da-server] port 3790 Related commands...
Page 104: Primary Authentication (Radius Scheme View)
• In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS accounting server belongs.
Page 105 Use undo primary authentication to restore the default. Syntax primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] * undo primary authentication Default The primary RADIUS authentication server is not specified.
Page 106: Radius Attribute Extended
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings. The shared key configured by this command takes precedence over the shared key configured with the key authentication command. The server status detection is triggered for the server if the specified test profile exists on the device.
Page 107 Predefined user roles network-admin mdc-admin Parameters attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes. vendor vendor-id: Specifies a vendor ID in the range of 1 to 65535. If you do not specify a vendor ID, the device processes the RADIUS attribute as a standard RADIUS attribute.
Page 108: Radius Dscp
attribute reject (RADIUS scheme view) attribute translate radius dscp Use radius dscp to change the DSCP priority of RADIUS packets. Use undo radius dscp to restore the default. Syntax radius [ ipv6 ] dscp dscp-value undo radius [ ipv6 ] dscp Default The DSCP priority of RADIUS packets is 0.
Page 109: Radius Nas-Ip
Predefined user roles network-admin mdc-admin Usage guidelines After you enable the RADIUS DAS feature, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs. Based on the DAE packet type and contents, the device performs one of the following operations: •...
Page 110: Radius Scheme
Usage guidelines The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
Page 111: Radius Session-Control Client
mdc-admin Parameters radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be used by more than one ISP domain at the same time. The device supports a maximum of 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
Page 112: Radius Session-Control Enable
• In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS session-control client belongs.
Page 113: Radius-Server Test-Profile
Usage guidelines An HPE IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812. This feature must work with HPE IMC servers.
Page 114: Reset Radius Statistics
If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device. When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.
Page 115: Retry
Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.
Page 116: Retry Realtime-Accounting
If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure. If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module: •...
Page 117: Retry Stop-Accounting (Radius Scheme View)
To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
Page 118: Secondary Accounting (Radius Scheme View)
Parameters retries: Specifies the maximum number of transmission attempts. The value range is 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts controls the transmission of stop-accounting requests together with the following parameters: • RADIUS server response timeout timer (set by using the timer response-timeout command). •...
Page 119 Parameters host-name: Specifies the host name of a secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server.
Page 120: Secondary Authentication (Radius Scheme View)
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either. Examples # In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.
Page 121 port-number: Specifies the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812. key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
Page 122: Server-Load-Sharing Enable
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 # In RADIUS scheme radius2, specify two secondary authentication servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1812. <Sysname> system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 [Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 Related commands display radius scheme...
Page 123: Snmp-Agent Trap Enable Radius
[Sysname-radius-radius1] server-load-sharing enable Related commands primary authentication (RADIUS scheme view) primary accounting (RADIUS scheme view) secondary authentication (RADIUS scheme view) secondary accounting (RADIUS scheme view) snmp-agent trap enable radius Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS. Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
Page 124: State Primary
• RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires. • Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
Page 125: State Secondary
• If you set the status of the server to blocked, the device stops detecting the status of the server. • If you set the status of the server to active, the device starts to detect the status of the server. Examples # In RADIUS scheme radius1, set the status of the primary authentication server to blocked.
Page 126: Stop-Accounting-Buffer Enable (Radius Scheme View)
Usage guidelines If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers. If the device finds that a secondary server in active state is unreachable, the device performs the following operations: •...
Page 127: Timer Quiet (Radius Scheme View)
Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to buffer a RADIUS stop-accounting request that has no response after the maximum transmission attempts (set by using the retry command) have been made. The device resends the buffered request until it receives a server response or when the number of stop-accounting request transmission attempts reaches the upper limit.
Page 128: Timer Realtime-Accounting (Radius Scheme View)
Examples # In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 Related commands display radius scheme timer realtime-accounting (RADIUS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default.
Page 129: Timer Response-Timeout (Radius Scheme View)
Examples # In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view) Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default.
Page 130: User-Name-Format (Radius Scheme View)
Related commands display radius scheme retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the usernames sent to a RADIUS server.
Page 131: Vpn-Instance (Radius Scheme View)
vpn-instance (RADIUS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme. Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network. Views RADIUS scheme view Predefined user roles network-admin mdc-admin...
Page 132: Display Hwtacacs Scheme
Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters data: Specifies the unit for data flows. byte: Specifies the unit as byte. giga-byte: Specifies the unit as gigabyte. kilo-byte: Specifies the unit as kilobyte. mega-byte: Specifies the unit as megabyte. packet: Specifies the unit for data packets.
Page 133 Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes. statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the specified HWTACACS scheme.
Page 134 Field Description Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server. Secondary Author Server Secondary HWTACACS authorization server. Secondary Acct Server Secondary HWTACACS accounting server. Host name of the server. This field displays Not configured in the following situations: Host name •...
Page 135 Round trip time: 20 seconds Request packets: Login request packets: Change-password request packets: Request packets including plaintext passwords: Request packets including ciphertext passwords: 0 Response packets: Pass response packets: Failure response packets: Get-data response packets: Get-username response packets: Get-password response packets: Restart response packets: Error response packets: Follow response packets:...
Page 136 Follow response packets: Malformed response packets: Timeout response packets: Unknown type response packets: Dropped response packets: Table 11 Command output Field Description Primary authentication server Primary HWTACACS authentication server. Primary authorization server Primary HWTACACS authorization server. Primary accounting server Primary HWTACACS accounting server. Secondary authentication server Secondary HWTACACS authentication server.
Page 137: Display Stop-Accounting-Buffer (For Hwtacacs)
Field Description Number of received PassAdd response packets. The packets PassAdd response packets indicate that all requested authorization attributes are assigned and additional authorization attributes are added. Number of received PassReply response packets. The device uses PassReply response packets the specified authorization attributes in the packets to replace the requested authorization attributes.
Page 138: Hwtacacs Nas-Ip
Field Description Number of attempts that were made to send the stop-accounting Attempts request. Related commands reset stop-accounting-buffer (for HWTACACS) retry stop-accounting (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) user-name-format (HWTACACS scheme view) hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.
Page 139: Hwtacacs Scheme
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: • The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme. • The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
Page 140: Key (Hwtacacs Scheme View)
<Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Page 141: Nas-Ip (Hwtacacs Scheme View)
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication. [Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&! Related commands display hwtacacs scheme...
Page 142: Primary Accounting (Hwtacacs Scheme View)
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: • The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme. • The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
Page 143: Primary Authentication (Hwtacacs Scheme View)
cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key. This argument is case sensitive. • In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
Page 144 Syntax primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authentication Default The primary HWTACACS authentication server is not specified. Views HWTACACS scheme view Predefined user roles...
Page 145: Primary Authorization
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme. You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Page 146: Reset Hwtacacs Statistics
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key. This argument is case sensitive. • In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
Page 147: Reset Stop-Accounting-Buffer (For Hwtacacs)
Views User view Predefined user roles network-admin mdc-admin Parameters accounting: Clears the HWTACACS accounting statistics. all: Clears all HWTACACS statistics. authentication: Clears the HWTACACS authentication statistics. authorization: Clears the HWTACACS authorization statistics. Examples # Clear all HWTACACS statistics. <Sysname> reset hwtacacs statistics all Related commands display hwtacacs scheme reset stop-accounting-buffer (for HWTACACS)
Page 148: Secondary Accounting (Hwtacacs Scheme View)
Syntax retry stop-accounting retries undo retry stop-accounting Default The maximum number of transmission attempts for individual HWTACACS stop-accounting requests is 100. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of transmission attempts for HWTACACS stop-accounting requests.
Page 149 Parameters host-name: Specifies the host name of a secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS accounting server. port-number: Specifies the service port number of the secondary HWTACACS accounting server.
Page 150: Secondary Authentication (Hwtacacs Scheme View)
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&! Related commands display hwtacacs scheme key (HWTACACS scheme view) primary accounting (HWTACACS scheme view) vpn-instance (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove a secondary HWTACACS authentication server.
Page 151: Secondary Authorization
keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 152 Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the host name of a secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authorization server.
Page 153: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation. Examples # In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
Page 154: Timer Quiet (Hwtacacs Scheme View)
Related commands display stop-accounting-buffer (for HWTACACS) reset stop-accounting-buffer (for HWTACACS) timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default...
Page 155: Timer Response-Timeout (Hwtacacs Scheme View)
mdc-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.
Page 156: User-Name-Format (Hwtacacs Scheme View)
Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS servers in the scheme.
Page 157: Vpn-Instance (Hwtacacs Scheme View)
Examples # In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.
Page 158: Authentication-Server
Use undo attribute-map to restore the default. Syntax attribute-map map-name undo attribute-map Default An LDAP scheme does not use an LDAP attribute map. Views LDAP scheme view Predefined user roles network-admin mdc-admin Parameters map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.
Page 159: Authorization-Server
Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters. Usage guidelines You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Page 160: Display Ldap Scheme
[Sysname-ldap-ldap1] authorization-server ccc Related commands display ldap scheme ldap server display ldap scheme Use display ldap scheme to display LDAP scheme configuration. Syntax display ldap scheme [ ldap-scheme-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 161 LDAP protocol version : LDAPv3 Server timeout interval : 10 seconds Login account DN : Not configured Base DN : Not configured Search scope : all-level User searching parameters: User object class : Not configured Username attribute : cn Username format : with-domain Attribute map : map1...
Page 162: Ipv6
Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default An LDAP server does not have an IP address. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IP address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server.
Page 163: Ldap Attribute-Map
Predefined user roles network-admin mdc-admin Parameters ipv6-address: Specifies the IPv6 address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs.
Page 164: Ldap Scheme
Usage guidelines Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute. Examples # Create an LDAP attribute map named map1 and enter LDAP attribute map view. <Sysname>...
Page 165: Ldap Server
ldap server Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server. Use undo ldap server to delete an LDAP server. Syntax ldap server server-name undo ldap server server-name Default No LDAP servers exist.
Page 166: Login-Password
Parameters dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server. If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.
Page 167: Map
[Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands display ldap scheme login-dn Use map to configure a mapping entry in an LDAP attribute map. Use undo map to delete the specified mapping entries from the LDAP attribute map. Syntax map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute user-group...
Page 168: Protocol-Version
[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group Related commands ldap attribute-map user-group protocol-version Use protocol-version to specify the LDAP version. Use undo protocol-version to restore the default. Syntax protocol-version { v2 | v3 } undo protocol-version Default The LDAP version is LDAPv3.
Page 169: Search-Scope
Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters. Examples # Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.
Page 170: Server-Timeout
Examples # Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] search-scope all-level Related commands display ldap scheme ldap server server-timeout Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.
Page 171: Radius Server Commands
Syntax user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name } undo user-parameters { user-name-attribute | user-name-format | user-object-class } Default The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.
Page 172: Display Radius-Server Active-User
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display information about all activated RADIUS clients. <Sysname> display radius-server active-client Total 2 RADIUS clients. Client IP: 2.2.2.2 Client IP: 3.3.3.3 Related commands radius-server client display radius-server active-user Use display radius-server active-user to display information about activated RADIUS users.
Page 173: Radius-Server Activate
Username: test Description: A network access user from company cc Authorization attributes: VLAN ID: 2 ACL number: 2000 Validity period: Expiration time: 2015/04/03-18:00:00 # Display information about all activated RADIUS users. <Sysname> display radius-server active-user Total 2 RADIUS users matched. Username: 123 Description: A network access user from company cc Authorization attributes:...
Page 174: Radius-Server Client
Syntax radius-server activate Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to immediately activate the most recent RADIUS server configuration after you have added, modified, or deleted RADIUS clients and network access users from which RADIUS user data is generated.
Page 175 string: Specifies a case-sensitive key string. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters. all: Specifies all RADIUS clients. Usage guidelines The IP address of a RADIUS client must be the same as the source IP address for outgoing RADIUS packets specified on the RADIUS client.
Page 176: 802.1X Commands
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
Page 177 Online 802.1X wired users Ten-GigabitEthernet1/0/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control : Port-based Multicast trigger : Enabled...
Page 178 Field Description Performs EAP termination and uses CHAP to communicate with the CHAP authentication RADIUS server. Relays EAP packets and supports any of the EAP authentication EAP authentication methods to communicate with the RADIUS server. Performs EAP termination and uses PAP to communicate with the PAP authentication RADIUS server.
Page 179 Field Description Access control method of the port: • MAC-based—MAC-based access control. Port access control • Port-based—Port-based access control. Multicast trigger Whether the 802.1X multicast trigger feature is enabled. Mandatory auth domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port. Guest VLAN If no 802.1X guest VLAN is configured on the port, this field displays Not configured.
Page 180: Display Dot1X Connection
Field Description Status and mode of the 802.1X guest VSI assignment delay feature on a port: • EAPOL only—EAPOL-triggered 802.1X guest VSI assignment delay is enabled. • NewMAC only—New MAC-triggered 802.1X guest VSI Add Guest VSI delay assignment delay is enabled. •...
Page 181 mdc-operator Parameters open: Displays information only about 802.1X users that use nonexistent usernames or incorrect passwords for network access in open authentication mode. If you do not specify this keyword, the command displays information about all online 802.1X users. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays online 802.1X user information for all ports.
Page 182 Field Description User MAC address MAC address of the user. Access interface Interface through which the user access the device. Access state of the user. • Successful—The user passes 802.1X authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode.
Page 183: Display Dot1X Mac-Address
display dot1x mac-address Use display dot1x mac-address to display MAC address information of 802.1X users in 802.1X VLANs or VSIs of a specific type. Syntax display dot1x mac-address { auth-fail-vlan | auth-fail-vsi | critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface interface-type interface-number ] Views Any view Predefined user roles...
Page 184: Dot1X
MAC addresses: 8 0800-2700-9427 0800-2700-2341 0800-2700-2324 0800-2700-2351 0800-2700-5627 0800-2700-2251 0800-2700-8624 0800-2700-3f51 Interface: Ten-GigabitEthernet1/0/4 Auth-Fail VSI: text1-vsi Aging time: 30 sec MAC addresses: 2 0801-2700-9427 0801-2700-2341 Table 18 Command output Field Description Total number of MAC addresses in the specified VLAN or VSI on the Total MAC addresses specified port or all ports.
Page 185: Dot1X Access-User Log Enable
Views System view Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines For the 802.1X feature to take effect on a port, you must enable the feature both globally and on the port.
Page 186: Dot1X After-Mac-Auth Max-Attempt
successful-login: Specifies logs generated for successful logins of 802.1X users. Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for 802.1X users. If you do not specify any parameters, this command enables all logging functions for 802.1X users. Examples # Enable logging for login failures of 802.1X users.
Page 187: Dot1X Authentication-Method
Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
Page 188: Dot1X Auth-Fail Vlan
If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands." If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Page 189: Dot1X Auth-Fail Vsi
<Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x auth-fail vlan 100 Related commands display dot1x dot1x auth-fail vsi Use dot1x auth-fail vsi to configure an 802.1X Auth-Fail VSI on a port. Use undo dot1x auth-fail vsi to restore the default. Syntax dot1x auth-fail vsi authfail-vsi-name undo dot1x auth-fail vsi...
Page 190: Dot1X Critical Eapol
dot1x critical eapol Use dot1x critical eapol to enable the sending of an EAP-Success packet to a client when the 802.1X client user is assigned to the 802.1X critical VLAN on a port. Use undo dot1x critical eapol to restore the default. Syntax dot1x critical eapol undo dot1x critical eapol...
Page 191: Dot1X Critical Vsi
Default No 802.1X critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies the ID of the 802.1X critical VLAN on the port. The value range for the VLAN ID is 1 to 4094.
Page 192: Dot1X Critical-Voice-Vlan
Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the 802.1X critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines An 802.1X critical VSI accommodates users that have failed 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable.
Page 193: Dot1X Domain-Delimiter
• The port is configured with the voice VLAN. To configure a voice VLAN on a port, use the voice-vlan enable command (see Layer 2—LAN Switching Command Reference). • LLDP is enabled both globally and on the port. The device uses LLDP to identify voice users. For information about LLDP commands, see Layer 2—LAN Switching Command Reference.
Page 194: Dot1X Ead-Assistant Enable
If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\).
Page 195: Dot1X Ead-Assistant Free-Ip
dot1x ead-assistant url http-redirect https-port (Layer 3—IP Services Command Reference) dot1x ead-assistant free-ip Use dot1x ead-assistant free-ip to configure a free IP. Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses. Syntax dot1x ead-assistant free-ip ip-address { mask-address | mask-length } undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all } Default No free IPs exist.
Page 196: Dot1X Eapol Untag
undo dot1x ead-assistant url Default No redirect URL exists for EAD assistant. Views System view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 256 characters in the format http://string or https://string. If the specified URL does not start with http:// or https://, the URL is considered to start with http:// by default.
Page 197: Dot1X Guest-Vlan
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to send 802.1X protocol packets out of an 802.1X-enabled port without VLAN tags. Use this command to prevent terminal devices connected to the port from failing 802.1X authentication when the following conditions exist: •...
Page 198: Dot1X Guest-Vlan-Delay
Usage guidelines An 802.1X guest VLAN accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Page 199: Dot1X Guest-Vsi
When 802.1X authentication is triggered on a port, the device performs the following operations: Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication. Retransmits the packet if no response has been received within the username request timeout interval set by using the dot1x timer tx-period command.
Page 200: Dot1X Guest-Vsi-Delay
You can configure only one 802.1X guest VSI on a port. The 802.1X guest VSIs on different ports can be different. On a port, the 802.1X guest VSI configuration is mutually exclusive with the 802.1X guest VLAN, 802.1X Auth-Fail VLAN, and 802.1X critical VLAN settings. Examples # Specify VSI vsiuser as the 802.1X guest VSI on Ten-GigabitEthernet 1/0/1.
Page 201: Dot1X Handshake
Assigns the port to the 802.1X guest VSI after the maximum number of request attempts set by using the dot1x retry command is reached. If you use the undo command without any keyword, the command disables both EAPOL-triggered and new MAC-triggered 802.1X guest VSI assignment delays on a port. Examples # Enable EAPOL-triggered 802.1X guest VSI assignment delay on Ten-GigabitEthernet 1/0/1.
Page 202: Dot1X Handshake Reply Enable
Related commands display dot1x dot1x timer handshake-period dot1x retry dot1x handshake reply enable Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature. Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.
Page 203: Dot1X Mac-Binding
Default The online user handshake security feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The online user handshake security feature enables the device to prevent users from using illegal client software.
Page 204: Dot1X Mac-Binding Enable
Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding broadcast, multicast, and all-zero MAC addresses. all: Specifies all MAC addresses that are bound to a port. Usage guidelines This command takes effect only when the 802.1X MAC address binding feature takes effect. 802.1X MAC address binding entries, both manually added and automatically generated, never age out.
Page 205: Dot1X Mandatory-Domain
The 802.1X MAC address binding feature automatically binds MAC addresses of authenticated 802.1X users to the users' access port and generates 802.1X MAC address binding entries. 802.1X MAC address binding entries, both automatically generated and manually added, never age out. They can survive a user logoff or a device reboot. To delete an entry, you must use the undo dot1x mac-binding mac-address command.
Page 206: Dot1X Max-User
Default ISP domain. Examples # Specify my-domain as the mandatory authentication domain for 802.1X users on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default.
Page 207: Dot1X Port-Control
Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The 802.1X multicast trigger feature is enabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The multicast trigger feature enables the device to act as the initiator.
Page 208: Dot1X Port-Method
mdc-admin Parameters authorized-force: Places the port in authorized state, enabling users on the port to access the network without authentication. auto: Places the port initially in unauthorized state to allow only EAPOL packets to pass, and places the port in authorized state after a user passes authentication. You can use this option in most scenarios.
Page 209: Dot1X Quiet-Period
Examples # Configure Ten-GigabitEthernet 1/0/1 to implement port-based access control. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x port-method portbased Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. Use undo dot1x quiet-period to disable the quiet timer. Syntax dot1x quiet-period undo dot1x quiet-period...
Page 210: Dot1X Re-Authenticate Manual
Default The 802.1X periodic reauthentication feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines Periodic reauthentication enables the access device to periodically authenticate online 802.1X users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.
Page 211: Dot1X Re-Authenticate Server-Unreachable Keep-Online
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x re-authenticate manual Related commands dot1x re-authenticate dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. Use undo dot1x re-authenticate server-unreachable to restore the default. Syntax dot1x re-authenticate server-unreachable keep-online undo dot1x re-authenticate server-unreachable Default The keep-online feature is disabled on a port.
Page 212: Dot1X Timer
Default A maximum of two attempts are made to send an authentication request to a client. Views System view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
Page 213 • Periodic reauthentication timer: 3600 seconds. • Server timeout timer: 100 seconds. • Client timeout timer: 30 seconds. • Username request timeout timer: 30 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters ead-timeout ead-timeout-value: Specifies the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.
Page 214: Dot1X Timer Reauth-Period
• Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable 802.1X periodic reauthentication on a port, use the dot1x re-authenticate command. • Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server.
Page 215: Dot1X Unicast-Trigger
Usage guidelines The device reauthenticates online 802.1X users on a port at the specified periodic reauthentication interval when the port is enabled with periodic reauthentication. To enable periodic reauthentication on a port, use the dot1x re-authenticate command. A change to the periodic reauthentication timer applies to online users only after the old timer expires.
Page 216: Dot1X User-Ip Freeze
<Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x unicast-trigger Related commands display dot1x dot1x multicast-trigger dot1x retry dot1x timer dot1x user-ip freeze Use dot1x user-ip freeze to enable 802.1X user IP freezing. Use undo dot1x user-ip freeze to disable 802.1X user IP freezing. Syntax dot1x user-ip freeze undo dot1x user-ip freeze...
Page 217: Reset Dot1X Guest-Vsi
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN. If you do not specify this option, the command removes all 802.1X users from the 802.1X guest VLAN on the port.
Page 218 Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports. Examples # Clear 802.1X statistics on Ten-GigabitEthernet 1/0/1. <Sysname>...
Page 219: Mac Authentication Commands
MAC authentication commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics. Syntax display mac-authentication [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If the specified port is not enabled with MAC authentication, this command displays only global MAC authentication information.
Page 220 Auth-delay period : 60 s Periodic reauth : Enabled Reauth period : 120 s Re-auth server-unreachable : Logoff Guest VLAN : 100 Guest VLAN auth-period : 150 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Multiple VLAN Offline detection : Enabled...
Page 221 Field Description MAC authentication domain specified in system view. Authentication domain If no authentication domain is specified in system view, this field displays Not configured, use default domain. Number of wired online MAC authentication users, including users Online MAC-auth wired users that have passed MAC authentication and users that are performing MAC authentication.
Page 222: Display Mac-Authentication Connection
Field Description If parallel processing of MAC authentication and 802.1X authentication is disabled, this field displays Default. Authentication order If parallel processing of MAC authentication and 802.1X authentication is enabled, this field displays Parallel. MAC authentication guest VSI configured on the port. Guest VSI If no MAC authentication guest VSI is configured, this field displays Not configured.
Page 223 interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about online MAC authentication users for all ports. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about online MAC authentication users for all cards.
Page 224: Display Mac-Authentication Mac-Address
Field Description Access state of the user: • Successful—The user passes MAC authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode. Authentication domain MAC authentication domain to which the user belongs. IPv4 address of the user.
Page 225 mdc-admin mdc-operator Parameters critical-vlan: Specifies the MAC authentication critical VLAN. critical-vsi: Specifies the MAC authentication critical VSI. guest-vlan: Specifies the MAC authentication guest VLAN. guest-vsi: Specifies the MAC authentication guest VSI. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MAC address information of MAC authentication users in the specified MAC authentication VLAN or VSI on all ports.
Page 226: Mac-Authentication
Field Description VLAN or VSI information for MAC authentication users. The Type argument has the following values: • Critical VLAN. Type VLAN/VSI • Critical VSI. • Guest VLAN. • Guest VSI. MAC address aging time in seconds. Aging time This field displays N/A if the MAC addresses do not age out. MAC addresses Number of matching MAC addresses on a port.
Page 227: Mac-Authentication Access-User Log Enable
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] mac-authentication Related commands display mac-authentication mac-authentication access-user log enable Use mac-authentication access-user log enable to enable logging for MAC authentication users. Use undo mac-authentication access-user log enable to disable logging for MAC authentication users. Syntax mac-authentication access-user log enable [ failed-login | logoff | successful-login ] * undo mac-authentication access-user log enable [ failed-login | logoff | successful-login ] * Default...
Page 228: Mac-Authentication Critical Vlan
Syntax mac-authentication carry user-ip undo mac-authentication carry user-ip Default A MAC authentication request does not include the user IP address. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command solves the IP conflict issue which might be caused by users' IP address modification. After you configure this command, users cannot pass MAC authentication if the IP and MAC information in the authentication requests do not match the users' IP-MAC mappings on the IMC server.
Page 229: Mac-Authentication Critical Vsi
Default No MAC authentication critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies a VLAN as the MAC authentication critical VLAN. The value range for the VLAN ID is 1 to 4094.
Page 230: Mac-Authentication Critical-Voice-Vlan
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the MAC authentication critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines The MAC authentication critical VSI accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable.
Page 231: Mac-Authentication Domain
Usage guidelines The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Before you enable the MAC authentication critical voice VLAN on the port, make sure the following requirements are met: •...
Page 232: Mac-Authentication Guest-Vlan
Parameters domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters. Usage guidelines The global authentication domain applies to all MAC authentication-enabled ports. An authentication domain specified in Layer 2 Ethernet interface view or Layer 2 aggregate interface view applies only to the port.
Page 233: Mac-Authentication Guest-Vlan Auth-Period
passwords entered. You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches. You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Page 234: Mac-Authentication Guest-Vsi
Related commands display mac-authentication mac-authentication guest-vlan mac-authentication guest-vsi Use mac-authentication guest-vsi to configure a MAC authentication guest VSI on a port. Use undo mac-authentication guest-vsi to restore the default. Syntax mac-authentication guest-vsi guest-vsi-name undo mac-authentication guest-vsi Default No MAC authentication guest VSI exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Page 235: Mac-Authentication Guest-Vsi Auth-Period
mac-authentication guest-vsi auth-period Use mac-authentication guest-vsi auth-period to set the interval at which the device authenticates users in the MAC authentication guest VSI. Use undo mac-authentication guest-vsi auth-period to restore the default. Syntax mac-authentication guest-vsi auth-period period-value undo mac-authentication guest-vsi auth-period Default The device authenticates users in the MAC authentication guest VSI every 30 seconds.
Page 236: Mac-Authentication Max-User
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user.
Page 237: Mac-Authentication Offline-Detect Enable
Usage guidelines Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users. Examples # Configure Ten-GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.
Page 238: Mac-Authentication Parallel-With-Dot1X
mac-authentication parallel-with-dot1x Use mac-authentication parallel-with-dot1x to enable parallel processing of MAC authentication and 802.1X authentication on a port. Use undo mac-authentication parallel-with-dot1x to restore the default. Syntax mac-authentication parallel-with-dot1x undo mac-authentication parallel-with-dot1x Default Parallel processing of MAC authentication and 802.1X authentication is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Page 239: Mac-Authentication Re-Authenticate
mac-authentication re-authenticate Use mac-authentication re-authenticate to enable the periodic MAC reauthentication feature on a port. Use undo mac-authentication re-authenticate to disable the periodic MAC reauthentication feature on a port. Syntax mac-authentication re-authenticate undo mac-authentication re-authenticate Default The periodic MAC reauthentication feature is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Page 240: Mac-Authentication Timer (Interface View)
Default The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The keep-online feature keeps authenticated MAC authentication users online when no server is...
Page 241: Mac-Authentication Timer (System View)
Parameters auth-delay auth-delay-time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180. reauth-period reauth-period-value: Specifies the port-specific periodic MAC reauthentication timer in seconds. The value range is 60 to 7200. Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered.
Page 242 • The quiet timer is 60 seconds. • The global periodic MAC reauthentication timer is 3600 seconds. • The server timeout timer is 100 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters offline-detect offline-detect-value: Specifies the offline detect timer in the range of 60 to 2147483647, in seconds.
Page 243: Mac-Authentication User-Name-Format
mac-authentication user-name-format Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users. Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } string ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default...
Page 244: Reset Mac-Authentication Critical Vlan
Examples # Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
Page 245: Reset Mac-Authentication Critical-Voice-Vlan
Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VSI on the port. Examples # Remove the user with MAC address 1-1-1 from the MAC authentication critical VSI on Ten-GigabitEthernet 1/0/1.
Page 246: Reset Mac-Authentication Guest-Vlan
reset mac-authentication guest-vlan Use reset mac-authentication guest-vlan to remove users from the MAC authentication guest VLAN on a port. Syntax reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address.
Page 247: Reset Mac-Authentication Statistics
Examples # Remove the user with MAC address 1-1-1 from the MAC authentication guest VSI on Ten-GigabitEthernet 1/0/1. <Sysname> reset mac-authentication guest-vsi interface ten-gigabitethernet 1/0/1 mac-address 1-1-1 Related commands display mac-authentication mac-authentication guest-vsi reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax reset mac-authentication statistics [ interface interface-type interface-number ] Views...
Page 248: Portal Commands
Portal commands aging-time Use aging-time to set the aging time for MAC-trigger entries. Use undo aging-time to restore the default. Syntax aging-time seconds undo aging-time Default The aging time for MAC-trigger entries is 300 seconds. Views MAC binding server view Predefined user roles network-admin mdc-admin...
Page 249: Authentication-Timeout
authentication-timeout Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving a MAC binding query response. Use undo authentication-timeout to restore the default. Syntax authentication-timeout minutes undo authentication-timeout Default The authentication timeout time is 3 minutes.
Page 250: Default-Logon-Page
Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10. interval interval: Specifies the query interval in the range of 1 to 60 seconds. Usage guidelines If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable.
Page 251: Display Portal
Usage guidelines You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device. After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages.
Page 252 Pre-auth domain: abc User-dhcp-only: Enabled Pre-auth IP pool: ab Max Portal users: Not configured Bas-ip: Not configured User detection : Type: ICMP Interval: 300s Attempts: 5 Idle time: 180s Action for server detection: Server type Server name Action Web server fail-permit Portal server fail-permit...
Page 253 Field Description Portal authentication status on the interface: • Disabled—Portal authentication is disabled. • Enabled—Portal authentication is enabled. Portal status • Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication. Authentication mode enabled on the interface: •...
Page 254: Display Portal Mac-Trigger-Server
portal enable portal free-all except destination portal ipv6 free-all except destination portal ipv6 layer3 source portal layer3 source portal web-server display portal mac-trigger-server Use display portal mac-trigger-server to display information about MAC binding servers. Syntax display portal mac-trigger-server { all | name server-name } Views Any view Predefined user roles...
Page 255 3.0—Version 3. Type of the MAC binding server. This field always displays IMC, which Server type indicates the HPE IMC server. IP address of the MAC binding server. UDP port number on which the MAC binding server listens for MAC binding Port query packets.
Page 256: Display Portal Packet Statistics
display portal packet statistics Use display portal packet statistics to display packet statistics for portal authentication servers. Syntax display portal packet statistics [ server server-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 257 NTF_USER_NOTIFY AFF_NTF_USER_NOTIFY Table 24 Command output Field Description Portal server Name of the portal authentication server. Invalid packets Number of invalid packets. Pkt-Type Packet type. Total Total number of packets. Drops Number of dropped packets. Errors Number of packets that carry error information. Challenge request packet the portal authentication server sent to the REQ_CHALLENGE access device.
Page 258: Display Portal Rule
Field Description User information notification packet the access device sent to the portal NTF_USER_NOTIFY authentication server. NTF_USER_NOTIFY acknowledgment packet the portal authentication AFF_NTF_USER_NOTIFY server sent to the access device. Related commands reset portal packet statistics display portal rule Use display portal rule to display portal filtering rules. Syntax In standalone mode: display portal rule { all | dynamic | static } { interface interface-type interface-number [ slot...
Page 259 Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Port : Any : 0000-0000-0000 Interface : Vlan-interface100 VLAN : 100 Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic...
Page 260 Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : Vlan-interface100 VLAN : Any Destination: : 0.0.0.0 Mask : 0.0.0.0 IPv6 portal rules on Vlan-interface100: Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : :: Prefix length Port : Any...
Page 261 Protocol : TCP Destination: : :: Prefix length Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : :: Prefix length Interface : Vlan-interface100 VLAN : 100 Destination: : :: Prefix length Author ACL: Number : 3001 Rule 5:...
Page 262: Display Portal Server
Field Description Status of the portal filtering rule: • Active—The portal filtering rule is effective. Status • Unactuated—The portal filtering rule is not activated. Source Source information of the portal filtering rule. Source IP address. Mask Subnet mask of the source IPv4 address. Prefix length Prefix length of the source IPv6 address.
Page 263: Display Portal User
Usage guidelines If you do not specify the server-name argument, this command displays information about all portal authentication servers. Examples # Display information about the portal authentication server pts. <Sysname> display portal server pts Portal server: pts Type : IMC : 192.168.0.111 VPN instance : Not configured...
Page 264 Syntax display portal user { all | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] } [ verbose ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator...
Page 265 000d-88f8-0eac 3.3.3.3 Vlan-interface200 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL number: 3001 Inbound CAR: CIR 3072 bps 3072 bps (inactive) Outbound CAR: CIR 3072 bps 3072 bps (inactive) # Display information about preauthentication portal users. <Sysname>...
Page 266 Field Description MPLS L3VPN instance to which the portal user belongs. If the portal user VPN instance is on a public network, this field displays N/A. MAC address of the portal user. IP address of the portal user. VLAN VLAN where the portal user resides. Interface Access interface of the portal user.
Page 267 Basic: Current IP address: 50.50.50.3 Original IP address: 30.30.30.2 Username: user1@hrss User ID: 0x28000002 Access interface: Vlan-interface20 Service-VLAN/Customer-VLAN: -/- MAC address: 0000-0000-0001 Domain: hrss VPN instance: N/A Status: Online Portal server: test Portal authentication method: Direct AAA: Realtime accounting interval: 60s, retry times: 3 Idle cut: 180 sec, 10240 bytes, direction: Inbound Session duration: 500 sec, remaining: 300 sec Remaining traffic: 10240000 bytes...
Page 268 Field Description Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is Service-VLAN/Customer-VLAN configured for the portal user, this field displays -/-. MAC address MAC address of the portal user. Domain ISP domain name for portal authentication. MPLS L3VPN instance to which the portal user belongs.
Page 269 Field Description Authorized inbound CAR: • CIR—Committed information rate in bps. • PIR—Peak information rate in bps. • active—The authorized inbound CAR is applied to the user access Inbound CAR interface successfully. • inactive—The authorized inbound CAR is not applied to the user access interface.
Page 270: Display Portal Web-Server
Field Description This field is not supported in the current software version. level-n uplink packets/bytes Packet and byte statistics of the upstream traffic at the accounting level n. The number n is in the range of 1 to 8. This field is not supported in the current software version. level-n downlink packets/bytes Packet and byte statistics of the downstream traffic at the accounting level n.
Page 271: Display Web-Redirect Rule
Table 29 Command output Field Description Portal Web server type. This field always displays IMC, which indicates the IMC Type server. Portal Web server Name of the portal Web server. URL of the portal Web server. URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides.
Page 272 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays Web redirect rules for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Page 273: If-Match
Table 30 Command output Field Description Rule Number of the Web redirect rule. Type of the Web redirect rule: • Static—Static Web redirect rule, generated when the Web redirect feature takes effect. Type • Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.
Page 274 Parameters original-url url-string: Specifies a URL string to match the URL in HTTP requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters. redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
Page 275: Ip (Mac Binding Server View)
<Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1 Related commands display portal web-server portal free-rule url-parameter ip (MAC binding server view) Use ip to specify the IP address of a MAC binding server. Use undo ip to restore the default. Syntax ip ipv4-address [ vpn-instance ipv4-vpn-instance-name ] [ key { cipher | simple } string ] undo ip...
Page 276: Ip (Portal Authentication Server View)
Examples # Specify the IP address of the MAC binding server as 192.168.0.111 and the plaintext key as portal. <Sysname> system-view [Sysname] portal mac-trigger-server mts [Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal Related commands display portal mac-trigger-server ip (portal authentication server view) Use ip to specify the IP address of an IPv4 portal authentication server.
Page 277: Ipv6
Examples # Configure the IP address of IPv4 portal authentication server pts as 192.168.0.111 and the plaintext key as portal. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] ip 192.168.0.111 key simple portal Related commands display portal server portal server ipv6 Use ipv6 to specify the IP address of an IPv6 portal authentication server.
Page 278: Nas-Port-Type
Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers. Examples # Configure the IP address of IPv6 portal authentication server pts as 2000::1 and the plaintext key as portal. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] ipv6 2000::1 key simple portal Related commands display portal server...
Page 279: Port (Mac Binding Server View)
port (MAC binding server view) Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets. Use undo port to restore the default. Syntax port port-number undo port Default The MAC binding server listens for MAC binding query packets on UDP port 50100. Views MAC binding server view Predefined user roles...
Page 280: Portal { Bas-Ip | Bas-Ipv6 } (Interface View)
Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534. Usage guidelines The specified port must be the port that listens to portal packets on the portal authentication server. Examples # Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.
Page 281: Portal { Ipv4-Max-User | Ipv6-Max-User } (Interface View)
You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface if the following conditions are met: • The portal authentication server is an HPE IMC server or the portal authentication mode on the interface is re-DHCP. •...
Page 282: Portal Apply Mac-Trigger-Server
Usage guidelines If the specified maximum number is smaller than the number of current online portal users on the interface, the limit can be set successfully. The limit does not impact the online portal users. However, the device does not allow new portal users to log in from the interface until the number drops down below the limit.
Page 283: Portal Apply Web-Server (Interface View)
Related commands portal mac-trigger-server portal apply web-server (interface view) Use portal [ ipv6 ] apply web-server to specify a portal Web server. The device redirects the HTTP requests sent by unauthenticated portal users to the portal Web server. Use undo portal [ ipv6 ] apply web-server to restore the default. Syntax portal [ ipv6 ] apply web-server server-name [ fail-permit ] undo portal [ ipv6 ] apply web-server...
Page 284: Portal Authorization Strict-Checking
portal authorization strict-checking Use portal authorization strict-checking to enable strict checking on portal authorization information. Use undo portal authorization strict-checking to disable strict checking on portal authorization information. Syntax portal authorization { acl | user-profile } strict-checking undo portal authorization { acl | user-profile } strict-checking Default Strict checking on portal authorization information is disabled.
Page 285: Portal Device-Id
mdc-admin Parameters ipv4-address: Specifies the IP address of an IPv4 online portal user. all: Specifies IPv4 and IPv6 online portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface. ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.
Page 286: Portal Domain (Interface View)
portal domain (interface view) Use portal [ ipv6 ] domain to specify a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain. Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain. Syntax portal [ ipv6 ] domain domain-name undo portal [ ipv6 ] domain...
Page 287: Portal Fail-Permit Server
Default Portal authentication is disabled. Views Interface view Predefined user roles network-admin mdc-admin Parameters ipv6: Enables IPv6 portal authentication. Do not specify this keyword for IPv4 portal authentication. method: Specifies an authentication mode: • direct—Direct authentication. • layer3—Cross-subnet authentication. • redhcp—Re-DHCP authentication.
Page 288: Portal Free-All Except Destination
Views Interface view Predefined user roles network-admin mdc-admin Parameters ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server. server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 289: Portal Free-Rule
mdc-admin Parameters ipv4-network-address: Specifies an IPv4 portal authentication subnet address. mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32. mask: Specifies the subnet mask in dotted decimal format. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules).
Page 290 Predefined user roles network-admin mdc-admin Parameters rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295. destination: Specifies the destination information. source: Specifies the source information. ip ipv4-address: Specifies an IPv4 address for the portal-free rule. { mask-length | mask }: Specifies the subnet mask of the IPv4 address.
Page 291: Portal Free-Rule Destination
• Specify the source IP address as 2000::1/64, the destination IP address as 2001::1, and the destination TCP port number as 23. • Specify the interface as VLAN-interface 1. <Sysname> system-view [Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64 interface vlan-interface 1 With this rule, users in subnet 2000::1/64 do not need to pass portal authentication on VLAN-interface 1 when they access services provided on TCP port 23 of host 2001::1.
Page 292: Portal Free-Rule Source
The configured host name cannot contain only asterisks (*).  The fuzzy match feature takes effect only on HTTP or HTTPS requests initiated by Web browsers. You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists. Examples # Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.abc.com.
Page 293: Portal Ipv6 Free-All Except Destination
Examples # Configure source-based portal-free rule: specify the rule number as 3, source MAC address as 1-1-1, and source VLAN ID as 10. This rule allows the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without authentication. <Sysname>...
Page 294: Portal Ipv6 Layer3 Source
[Sysname–Vlan-interface2] portal ipv6 free-all except destination 1::2 16 Related commands display portal portal ipv6 layer3 source Use portal ipv6 layer3 source to configure an IPv6 portal authentication source subnet. Use undo portal ipv6 layer3 source to delete IPv6 portal authentication source subnets. Syntax portal ipv6 layer3 source ipv6-network-address prefix-length undo portal ipv6 layer3 source [ ipv6-network-address ]...
Page 295: Portal Ipv6 User-Detect
portal ipv6 user-detect Use portal ipv6 user-detect to enable online detection of IPv6 portal users. Use undo portal user-detect to disable online detection of IPv6 portal users. Syntax portal ipv6 user-detect type { icmpv6 | nd } [ retry retries ] [ interval interval ] [ idle time ] undo portal ipv6 user-detect Default Online detection of IPv6 portal users is disabled.
Page 296: Portal Layer3 Source
If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface. Examples # Enable online detection of IPv6 portal users on VLAN-interface 100.
Page 297: Portal Local-Web-Server
Examples # Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on VLAN-interface 2. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname–Vlan-interface2] portal layer3 source 10.10.10.0 24 Related commands display portal portal free-all except destination portal local-web-server Use portal local-web-server to create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.
Page 298: Portal Log Enable
To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service. When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines: •...
Page 299: Portal Mac-Trigger Server
Default Portal user login and logout logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This feature logs information about portal user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device.
Page 300: Portal Max-User
[Sysname-portal-mac-trigger-server-mts] Related commands display portal mac-trigger-server portal apply mac-trigger-server portal max-user Use portal max-user to set the maximum number of total portal users allowed in the system. Use undo portal max-user to restore the default. Syntax portal max-user max-number undo portal max-user Default The total number of portal users allowed in the system is not limited.
Page 301: Portal Nas-Port-Id Format
Syntax portal nas-id-profile profile-name undo portal nas-id-profile Default No NAS-ID profile is specified for an interface. Views Interface view Predefined user roles network-admin mdc-admin Parameters profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters. Usage guidelines A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs.
Page 302 Predefined user roles network-admin mdc-admin Parameters 1: Uses format 1 for the NAS-Port-Id attribute. 2: Uses format 2 for the NAS-Port-Id attribute. 3: Uses format 3 for the NAS-Port-Id attribute. 4: Uses format 4 for the NAS-Port-Id attribute. Usage guidelines The NAS-Port-Id format supported by RADIUS servers varies by vendor.
Page 303 Identifier description of the access node, a string not AccessNodeIdentifier longer than 50 characters without spaces. ANI_frame Frame number of the access node, in the range of 0 to 31. ANI_slot Slot number of the access node, in the range of 0 to 127. Subslot number of the access node, in the range of 0 to ANI_subslot ANI_port...
Page 304: Portal Outbound-Filter Enable
Format 2 is SlotID00IfNOVlanID. • SlotID—Slot number, a string of 2 characters. • IfNO—Slot number, a string of 3 characters. • VlanID—VLAN ID, a string of 9 characters. Format 3 is SlotID00IfNOVlanIDDHCPoption. • SlotID—Slot number, a string of 2 characters. •...
Page 305: Portal Pre-Auth Domain
Other outgoing packets on the interface are dropped. Examples # Enable outgoing packets filtering on VLAN-interface 20. <Sysname> system-view [Sysname] interface vlan-interface 20 [Sysname–Vlan-interface20] portal outbound-filter enable portal pre-auth domain Use portal [ ipv6 ] pre-auth domain to specify a preauthentication domain for portal users. Use undo portal [ ipv6 ] pre-auth domain to restore the default.
Page 306: Portal Pre-Auth Ip-Pool
• You create the ISP domain after specifying it as the preauthentication domain. • You delete the specified ISP domain and then re-create it. If you change the preauthentication domain on an interface, the interface uses the new preauthentication domain for both new and existing preauthentication users. If authorization attributes in the preauthentication domain are modified, the modified attributes take effect only on new preauthentication users.
Page 307: Portal Refresh Enable
Usage guidelines You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation: • Portal users access the network through a subinterface of the portal-enabled interface. • The subinterface does not have an IP address. •...
Page 308: Portal Roaming Enable
Usage guidelines When the Rule ARP or ND entry feature is enabled for portal clients, ARP or ND entries for portal clients are Rule entries after the clients come online. The Rule ARP or ND entries will not age out and will be deleted immediately after the portal clients go offline.
Page 309: Portal Server
portal server Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server. Use undo portal server to delete the specified portal authentication server. Syntax portal server server-name undo portal server server-name Default No portal authentication servers exist.
Page 310 undo portal user-detect Default Online detection of IPv4 portal users is disabled. Views Interface view Predefined user roles network-admin mdc-admin Parameters type: Specifies the detection type. • arp—ARP detection. • icmp—ICMP detection. retry retries: Specifies the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
Page 311: Portal User-Dhcp-Only (Interface View)
[Sysname–Vlan-interface100] portal user-detect type arp retry 5 interval 10 idle 300 Related commands display portal portal user-dhcp-only (interface view) Use portal user-dhcp-only to allow only users with DHCP-assigned IP addresses to pass portal authentication. Use undo portal user-dhcp-only to restore the default. Syntax portal [ ipv6 ] user-dhcp-only undo portal [ ipv6 ] user-dhcp-only...
Page 312: Portal Web-Server
undo portal web-proxy port { port-number | all } Default No port numbers of Web proxy servers are specified. Proxied HTTP requests are dropped. Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies the port number of a Web proxy server. The value range for this argument is 1 to 65535.
Page 313: Reset Portal Packet Statistics
Default No portal Web servers exist. Views System view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server.
Page 314: Server-Detect (Portal Authentication Server View)
Related commands display portal packet statistics server-detect (portal authentication server view) Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status. Use undo server-detect to disable portal authentication server detection.
Page 315: Server-Detect (Portal Web Server View)
[Sysname] portal server pts [Sysname-portal-server-pts] server-detect timeout 600 log Related commands portal server server-detect (portal Web server view) Use server-detect to enable portal Web server detection. Use undo server-detect to disable portal Web server detection. Syntax server-detect [ interval interval ] [ retry retries ] { log | trap } * undo server-detect Default Portal Web server detection is disabled.
Page 316: Server-Type
Related commands portal web-server server-type Use server-type to specify the type of a portal authentication server or portal Web server. Use undo server-type to restore the default. Syntax server-type imc undo server-type Default The type of the portal authentication server and portal Web server is IMC. Views Portal authentication server view Portal Web server view...
Page 317: Tcp-Port
Default The type of the MAC binding server is IMC. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters imc: Specifies the MAC binding server type as IMC. Examples # Specify the type of MAC binding server as imc. <Sysname>...
Page 318: Url
• Do not configure the HTTPS listening port number as the default HTTP listening port number • Do not configure the same listening port number for HTTP and HTTPS. • For the HTTPS-based local portal Web service and other services that use HTTPS: If they use the same SSL server policy, they can use the same TCP port number to listen to ...
Page 319: Url-Parameter
[Sysname-portal-websvr-wbs] url http://www.test.com/portal Related commands display portal web-server url-parameter Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user. Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.
Page 320: User-Sync
Usage guidelines You can configure multiple URL parameters. If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect. After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users.
Page 321: Version
undo user-sync Default Portal user synchronization is disabled for a portal authentication server. Views Portal authentication server view Predefined user roles network-admin mdc-admin Parameters timeout timeout: Specifies a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. Usage guidelines After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server.
Page 322: Vpn-Instance
undo version Default The version of the portal protocol is 1. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters version-number: Specifies the portal protocol version in the range of 1 to 3. Usage guidelines The specified portal protocol version must be the that required by the MAC binding server. Examples # Configure the device to use portal protocol version 2 to communicate with MAC binding server mts.
Page 323: Web-Redirect Url
Usage guidelines A portal Web server belongs to only one MPLS L3VPN instance. Examples # Specify MPLS L3VPN instance abc for portal Web server wbs. <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] vpn-instance abc web-redirect url Use web-redirect url to enable the Web redirect feature. Use undo web-redirect url to disable the Web redirect feature.
Page 324: Port Security Commands
Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.
Page 325 Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 32 Current secure MAC addresses Authorization : Permitted NAS-ID profile : Not configured Free VLANs : Not configured Open authentication : Disabled Table 31 Command output Field Description Port security...
Page 326 Field Description Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • secure. • Port mode userLogin. • userLoginSecure. • userLoginSecureExt. • macAddressOrUserLoginSecure. • macAddressOrUserLoginSecureExt. • userLoginWithOUI. For more information about port security modes, see Security Configuration Guide.
Page 327: Display Port-Security Mac-Address Block
Field Description VLANs in which packets will not trigger authentication. Free VLANs If you do not configure free VLANs, this field displays Not configured. Open authentication Whether open authentication mode is enabled on the port. display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
Page 328: Display Port-Security Mac-Address Security
Table 32 Command output Field Description MAC ADDR Blocked MAC address. Port having received frames with the blocked MAC Port address being the source address. VLAN ID ID of the VLAN to which the port belongs. number mac address(es) found Number of blocked MAC addresses.
Page 329: Port-Security Access-User Log Enable
--- Number of secure MAC addresses: 1 --- Table 33 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address. This field displays Secure for a secure STATE MAC address.
Page 330: Port-Security Authentication Open
Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for port security users. If you do not specify any parameters, this command enables all logging functions for port security users. Examples # Enable logging for intrusion protection. <Sysname>...
Page 331: Port-Security Authentication Open Global
Examples # Enable open authentication mode on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] port-security authentication open Related commands display dot1x connection display mac-authentication connection port-security authentication open global port-security authentication open global Use port-security authentication open global to enable global open authentication mode. Use undo port-security authentication open global to disable global open authentication mode.
Page 332: Port-Security Authorization Ignore
Related commands display dot1x connection display mac-authentication connection port-security authentication open port-security authorization ignore Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device). Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore...
Page 333: Port-Security Enable
Default The authorization-fail-offline feature is disabled. The device does not log off users that fail authorization. Views System view Predefined user roles network-admin mdc-admin Parameters quiet-period: Enables the quiet timer for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature.
Page 334: Port-Security Free-Vlan
undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: •...
Page 335: Port-Security Intrusion-Mode
mdc-admin Parameters vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of start-vlan-id to end-vlan-id. The value range for VLAN IDs is 1 to 4094. The end VLAN ID must be equal to or greater than the start VLAN Usage guidelines This command allows packets from the specified VLANs to not trigger 802.1X or MAC authentication on a port configured with any of the following features:...
Page 336: Port-Security Mac-Address Aging-Type Inactivity
Predefined user roles network-admin mdc-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for 3 minutes, which is not user configurable.
Page 337: Port-Security Mac-Address Dynamic
Usage guidelines This command enables the device to periodically detect traffic data from secure MAC addresses. If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the secure MAC addresses.
Page 338: Port-Security Mac-Address Security
lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot. You can display dynamic secure MAC addresses by using the display port-security mac-address security command. The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses.
Page 339 vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094. Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot.
Page 340: Port-Security Mac-Limit
port-security mac-limit Use port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port. Use undo port-security mac-limit to restore the default. Syntax port-security mac-limit max-number per-vlan vlan-id-list undo port-security mac-limit per-vlan vlan-id-list Default The maximum number is 2147483647.
Page 341: Port-Security Mac-Move Permit
Related commands display dot1x display mac-authentication port-security mac-move permit Use port-security mac-move permit to enable MAC move on the device. Use undo port-security mac-move permit to disable MAC move on the device. Syntax port-security mac-move permit undo port-security mac-move permit Default MAC move is disabled on the device.
Page 342 Default Port security does not limit the number of secure MAC addresses on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port.
Page 343: Port-Security Nas-Id-Profile
port-security nas-id-profile Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security. Use undo port-security nas-id-profile to restore the default. Syntax port-security nas-id-profile profile-name undo port-security nas-id-profile Default No NAS-ID profile is applied to port security globally or on any port. Views System view Layer 2 Ethernet interface view...
Page 344: Port-Security Oui
Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default The NTK feature is not configured on a port and all frames are allowed to be sent. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin...
Page 345: Port-Security Port-Mode
Predefined user roles network-admin mdc-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value. Usage guidelines You can configure multiple OUI values.
Page 346 Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses.
Page 347 Keyword Security mode Description This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first.
Page 348: Port-Security Timer Autolearn Aging
<Sysname> system-view [Sysname] port-security enable [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode secure # Change the port security mode of Ten-GigabitEthernet 1/0/1 to userLogin. [Sysname-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode userlogin Related commands display port-security port-security max-mac-count port-security timer autolearn aging Use port-security timer autolearn aging to set the secure MAC aging timer.
Page 349: Port-Security Timer Disableport
When a short aging time (less than 60 seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device performance. Examples # Set the secure MAC aging timer to 30 minutes.
Page 350: Snmp-Agent Trap Enable Port-Security
Related commands display port-security port-security intrusion-mode snmp-agent trap enable port-security Use snmp-agent trap enable port-security to enable SNMP notifications for port security. Use undo snmp-agent trap enable port-security to disable SNMP notifications for port security. Syntax snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] * undo snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *...
Page 351 Related commands display port-security port-security enable...
Page 352: Password Control Commands
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Page 353: Display Password-Control Blacklist
Table 34 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the aging Password aging time. Whether the minimum password length restriction feature is enabled Password length and, if enabled, the setting. Whether the password composition restriction feature is enabled Password composition and, if enabled, the settings.
Page 354: Password-Control { Aging | Composition | History | Length } Enable
ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any parameters, this command displays information about all users in the password control blacklist. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.
Page 355: Password-Control Aging
Predefined user roles network-admin mdc-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled.
Page 356 undo password-control aging Default A password expires after 90 days. The password aging time for a user group equals the global setting. The password aging time for a local user equals that of the user group to which the local user belongs.
Page 357: Password-Control Alert-Before-Expire
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Page 358: Password-Control Composition
Views System view User group view Local user view Predefined user roles network-admin mdc-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Page 359 The password using the global composition policy must contain a minimum of one character type and a minimum of one character for each type. In FIPS mode: The password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type.
Page 360: Password-Control Enable
# Specify that the password of device management user abc must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5 Related commands display local-user display password-control display user-group...
Page 361: Password-Control Expired-User-Login
password-control expired-user-login Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires. Use undo password-control expired-user-login to restore the defaults. Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires.
Page 362: Password-Control Length
Predefined user roles network-admin mdc-admin Parameters max-record-number: Specifies the maximum number of history password records for each user. The value range is 2 to 15. Usage guidelines When the number of history password records reaches the maximum number, the subsequent history record overwrites the earliest one.
Page 363: Password-Control Login Idle-Time
Local user view Predefined user roles network-admin mdc-admin Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode. Usage guidelines The minimum length setting depends on the view: •...
Page 364: Password-Control Login-Attempt
Default The maximum account idle time is 90 days. Views System view Predefined user roles network-admin mdc-admin Parameters idle-time: Specifies the maximum account idle time in days. The value range is 0 to 365. 0 means no restriction for account idle time. Usage guidelines If a user account is idle for this period of time, the account becomes invalid and can no longer be used to log in to the device.
Page 365 mdc-admin Parameters login-times: Specifies the maximum number of consecutive login failures. The value range is 2 to 10. exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts. •...
Page 366: Password-Control Super Aging
# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock. [Sysname] display password-control blacklist Username: test IP: 192.168.44.1 Login failures: 4 Lock flag: lock Blacklist items matched: 1. # Verify that the user at 192.168.44.1 cannot use this user account to log in.
Page 367: Password-Control Super Composition
mdc-admin Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days. <Sysname> system-view [Sysname] password-control super aging 10 Related commands display password-control password-control aging password-control super composition Use password-control super composition to configure the composition policy for super...
Page 368: Password-Control Super Length
Examples # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. <Sysname> system-view [Sysname] password-control super composition type-number 4 type-length 5 Related commands display password-control password-control composition password-control super length Use password-control super length to set the minimum length for super passwords.
Page 369: Reset Password-Control Blacklist
Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours. Views System view Predefined user roles network-admin mdc-admin Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
Page 370: Reset Password-Control History-Record
<Sysname> reset password-control blacklist user-name test Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ super [ role role-name ] | user-name user-name ] Views User view Predefined user roles...
Page 371: Keychain Commands
Keychain commands accept-lifetime utc Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode. Use undo accept-lifetime to restore the default. Syntax accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } undo accept-lifetime Default...
Page 372: Accept-Tolerance
<Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21 accept-tolerance Use accept-tolerance to set a tolerance time for accept keys in a keychain. Use undo accept-tolerance to restore the default. Syntax accept-tolerance { value | infinite } undo accept-tolerance Default...
Page 373: Default-Send-Key
undo authentication-algorithm Default No authentication algorithm is specified for a key. Views Key view Predefined user roles network-admin mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm. hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm. md5: Specifies the MD5 authentication algorithm. Usage guidelines If an application does not support the authentication algorithm specified for a key, the application cannot use the key for packet authentication.
Page 374: Display Keychain
Examples # Specify key 1 in keychain abc as the default send key. <Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] default-send-key display keychain Use display keychain to display keychain information. Syntax display keychain [ name keychain-name [ key key-id ] ] Views Any view Predefined user roles...
Page 375: Key
Accept status : Active Key ID Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g== Algorithm : md5 Send lifetime : 01:00:01 2015/01/25 to 01:00:00 2015/01/27 Send status : Inactive Accept lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/27 Accept status : Active Table 36 Command output Field Description Mode...
Page 376: Keychain
Parameters key-id: Specifies a key ID in the range of 0 to 281474976710655. Usage guidelines The keys in a keychain must have different key IDs. Examples # Create key 1 and enter its view. <Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] keychain...
Page 377: Key-String
key-string Use key-string to configure a key string for a key. Use undo key-string to restore the default. Syntax key-string { cipher | plain } string undo key-string Default No key string is configured for a key. Views Key view Predefined user roles network-admin mdc-admin...
Page 378: Tcp-Algorithm-Id
Predefined user roles network-admin mdc-admin Parameters start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59. start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
Page 379: Tcp-Kind
mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm, which provides a key length of 16 bytes. md5: Specifies the MD5 authentication algorithm, which provides a key length of 16 bytes. algorithm-id: Specifies an algorithm ID in the range of 1 to 63. Usage guidelines If an application uses keychain authentication during TCP connection establishment, the incoming and outgoing TCP packets will carry the TCP Enhanced Authentication Option.
Page 380 <Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] tcp-kind 252...
Page 381: Public Key Management Commands
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 382 2DA4C04EF5AE0835090203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001...
Page 383 DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1...
Page 384: Display Public-Key Peer
Key code: 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1...
Page 385 Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer host public key, including its key code.
Page 386: Peer-Public-Key End
Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 39 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer host public key. Related commands public-key peer public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer host public key.
Page 387: Public-Key Local Create
[Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands display public-key local public display public-key peer public-key peer public-key local create Use public-key local create to create local key pairs. Syntax In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ] In FIPS mode: public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name...
Page 388 Type Default name dsakey ecdsakey ECDSA Usage guidelines The key algorithm must be the same as required by the security application. When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, and the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve.
Page 389 ...++++++ .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 390: Public-Key Local Destroy
..+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 391 Views System view Predefined user roles network-admin mdc-admin Parameters dsa: Specifies the DSA key pair type. ecdsa: Specifies the ECDSA key pair type. rsa: Specifies the RSA key pair type. name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters.
Page 392: Public-Key Local Export Dsa
Related commands public-key local create public-key local export dsa Use public-key local export dsa to export a local DSA host public key. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin...
Page 393 <Sysname> system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-2011/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local DSA key pair with the default name in OpenSSH format. <Sysname>...
Page 394: Public-Key Local Export Ecdsa
Related commands public-key local create public-key peer import sshkey public-key local export ecdsa Use public-key local export ecdsa to export a local ECDSA host public key. Syntax public-key local export ecdsa [ name key-keyname ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
Page 395: Public-Key Local Export Rsa
<Sysname> system-view [Sysname] public-key local export ecdsa openssh key.pub # Display the host public key of the local ECDSA key pair with the default name in SSH 2.0 format. <Sysname> system-view [Sysname] public-key local export ecdsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "ecdsa-sha2-nistp256-2014/07/06"...
Page 396 For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command displays the key on the monitor screen. Usage guidelines You can use this command to export a local RSA host public key before distributing it to a peer device.
Page 397: Public-Key Peer
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If the peer device is an HPE device, use the display public-key local public command to display and record its public key. Examples...
Page 398: Public-Key Peer Import Sshkey
<Sysname> system-view [Sysname] public-key peer key1 Enter public key view. Return to system view with "peer-public-key end" command. [Sysname-pkey-public-key-key1] Related commands display public-key local public display public-key peer peer-public-key end public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from a public key file. Use undo public-key peer to remove a peer host public key.
Page 399 Related commands display public-key peer public-key local export dsa public-key local export ecdsa public-key local export rsa...
Page 400: Pki Commands
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
Page 401: Ca Identifier
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table Table 42 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified Any FQDN or IP address contains the specified attribute attribute value.
Page 402: Certificate Request Entity
Views PKI domain view Predefined user roles network-admin mdc-admin Parameters name: Specifies the trusted CA by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate in a PKI domain, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the CA server specified for the PKI domain.
Page 403: Certificate Request From
• State and country where the entity resides. • FQDN. • IP address. You can specify only one PKI entity for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa. <Sysname>...
Page 404 Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ password { cipher | simple } string ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin mdc-admin...
Page 405: Certificate Request Polling
certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval interval } undo certificate request polling { count | interval } Default The polling interval is 20 minutes, and the maximum number of attempts is 50.
Page 406: Common-Name
undo certificate request url Default The URL of the certificate request reception authority is not specified. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters.
Page 407: Country
Predefined user roles network-admin mdc-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Set the common name to test for PKI entity en. <Sysname>...
Page 408: Crl Url
Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin mdc-admin Usage guidelines A CRL is a list of revoked certificates signed and published by a CA. Revoked certificates should no longer be trusted. Enable CRL checking to ensure that the device only accepts certificates that have not been revoked by the issuing CA.
Page 409: Display Pki Certificate Access-Control-Policy
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option. Usage guidelines To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository in the following order: CRL repository specified in the PKI domain by using this command.
Page 410: Display Pki Certificate Attribute-Group
Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # Display information about certificate-based access control policy mypolicy. <Sysname> display pki certificate access-control-policy mypolicy Access control policy name: mypolicy Rule 1 deny mygroup1...
Page 411 Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups. Examples # Display information about certificate attribute group mygroup. <Sysname>...
Page 412: Display Pki Certificate Domain
display pki certificate domain Use display pki certificate domain to display information about certificates. Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Page 413 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=docm, OU=rnd, CN=rootca Validity Not Before: Jan 6 02:51:41 2011 GMT Not After : Dec 7 03:12:05 2013 GMT Subject: C=cn, O=ccc, OU=ppp, CN=rootca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:...
Page 414 52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67: d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7: 4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e: 12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21: 46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd: a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12: bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs...
Page 415 dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a: 65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28: 04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64: cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in the PKI domain aaa. <Sysname>...
Page 416: Display Pki Certificate Request-Status
Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.sec.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands pki domain pki retrieve-certificate display pki certificate request-status Use display pki certificate request-status to display certificate request status.
Page 417 Character name Symbol Character name Symbol Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe Usage guidelines If you do not specify a PKI domain, this command displays the certificate request status for all PKI domains. Examples # Display certificate request status for PKI domain aaa.
Page 418: Display Pki Crl Domain
Related commands certificate request polling pki domain pki retrieve-certificate display pki crl domain Use display pki crl domain to display information about the CRL saved at the local for a PKI domain. Syntax display pki crl domain domain-name Views Any view Predefined user roles network-admin network-operator...
Page 419: Fqdn
X509v3 Authority Key Identifier: keyid:49:25:DB:07:3A:C4:8A:C2:B5:A0:64:A5:F1:54:93:69:14:51:11:EF Revoked Certificates: Serial Number: CDE626BF7A44A727B25F9CD81475C004 Revocation Date: Apr 28 01:37:52 2011 GMT CRL entry extensions: Invalidity Date: Apr 28 01:37:49 2011 GMT Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5 Revocation Date: Apr 28 01:33:28 2011 GMT CRL entry extensions: Invalidity Date: Apr 28 01:33:09 2011 GMT Signature Algorithm: sha1WithRSAEncryption...
Page 420 Syntax fqdn fqdn-name-string undo fqdn Default No FQDN is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname. Usage guidelines An FQDN uniquely identifies a PKI entity on a network.
Page 421: Ldap-Server
Usage guidelines Use this command to assign an IP address to a PKI entity or specify an interface for the entity. The interface's primary IPv4 address will be used as the IP address of the PKI entity. If you specify an interface, make sure the interface is assigned an IP address before the PKI entity requests a certificate.
Page 422: Locality
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.1 # Specify LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1 Related commands pki retrieve-certificate pki retrieve-crl...
Page 423: Organization-Unit
Default No organization name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set the organization name to abc for PKI entity en. <Sysname>...
Page 424: Pki Certificate Access-Control-Policy
Syntax pki abort-certificate-request domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 50 Special characters Character name...
Page 425: Pki Certificate Attribute-Group
Default No certificate-based access control policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate-based access control policy contains a set of access control rules that permit or deny access to the device based on the attributes in the requesting client's certificate.
Page 426: Pki Delete-Certificate
Usage guidelines A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates. A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command).
Page 427: Pki Domain
serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a serial number, this command removes all peer certificates in the PKI domain. Usage guidelines When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.
Page 428: Pki Entity
Default No PKI domains exist. Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 52 Special characters Character name Symbol Character name...
Page 429: Pki Export
Parameters entity-name: Specifies a name for a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address.
Page 430 all: Specifies both CA and local certificates. The RA certificate is excluded. ca: Specifies the CA certificate. local: Specifies the local certificates or the local certificates and their private keys. passphrase p12-key: Specifies a password for encrypting the private key of a local PKCS12 certificate.
Page 431 When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. If you do not specify the cryptographic algorithm and the challenge password, this command does not export the private keys of the local certificates.
Page 432 ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0 CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes>...
Page 433 %The signature usage local certificate: Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE----- MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy...
Page 434 4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT 3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE 6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z cXK8gzDBcsobcUMkwIYPAmd1kAPX -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes>...
Page 435 W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format. <Sysname> system-view [Sysname] pki export domain domain1 pem ca filename cacert # Display the CA certificate or the CA certificate chain in the PKI domain on the terminal. <Sysname>...
Page 436: Pki Import
-----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. <Sysname> system-view [Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
Page 437 Usage guidelines Use this command to import a certificate in the following situations: • The CRL repository is not specified or the CA server does not support SCEP. • The certificate is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format can contain key pairs.
Page 438 If a matching key pair is found, the device asks whether you want to overwrite the existing key pair on the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI domain name).
Page 439 +8wqac8jETwwM0UZ1NGJ50JJz1QYIzMbcrw+S5WlPxACTIz1cldlBlb1kpc+7mcX 4W+MxFzsL88IJ99T72eu4iUNsy26g0BZMAcc1sJA3A4w9RNhfs9hSG43S3hAh5li JPp720LfYBlkQHn/MgMCZASWDJ5G0eSXQt9QymHAth4BiT9v7zetnQqf4q8plfd/ Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40 cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10 0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ== -----END RSA PRIVATE KEY----- Bag Attributes localKeyID: 01 00 00 00 subject=/CN=sldsslserver issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9 5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU= -----END CERTIFICATE----- Bag Attributes: <Empty Attributes>...
Page 440: Pki Request-Certificate
Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted. Overwrite it? [Y/N]:y The system is going to save the key pair.
Page 441: Pki Retrieve-Certificate
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked. pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
Page 442 Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 56 Special characters Character name Symbol Character name Symbol Tilde...
Page 443: Pki Retrieve-Crl
<Sysname> system-view [Sysname] pki retrieve-certificate domain aaa peer en1 Related commands display pki certificate pki delete-certificate pki retrieve-crl Use pki retrieve-crl to obtain CRLs and save them locally. Syntax pki retrieve-crl domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Page 444: Pki Storage
Examples # Obtain CRLs from the CRL repository. <Sysname> system-view [Sysname] pki retrieve-crl domain aaa Related commands crl url ldap server pki storage Use pki storage to specify the storage path for the certificates or CRLs. Use undo pki storage to restore the default. Syntax pki storage { certificates | crls } dir-path undo pki storage { certificates | crls }...
Page 445: Pki Validate-Certificate
<Sysname> system-view [Sysname] pki storage crls pki-new pki validate-certificate Use pki validate-certificate to verify the validity of certificates. Syntax pki validate-certificate domain domain-name { ca | local } Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 58 Special characters...
Page 446 [Sysname] pki validate-certificate domain aaa ca Verifying certificate..Serial Number: f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=abc OU=test CN=aca Verify result: OK Verifying certificate..Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in PKI domain aaa.
Page 447: Public-Key Dsa
Related commands crl check pki domain public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to restore the default. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified for certificate request. Views PKI domain view Predefined user roles...
Page 448: Public-Key Ecdsa
Related commands pki import public-key local create public-key ecdsa Use public-key ecdsa to specify an ECDSA key pair for certificate request. Use undo public-key to restore the default. Syntax In non-FIPS mode: public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] undo public-key In FIPS mode: public-key ecdsa name key-name [ secp256r1 | secp384r1 | secp521r1 ]...
Page 449: Public-Key Rsa
The specified elliptic curve takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and curve before submitting a certificate request. The curve parameter is ignored if the specified key pair already exists or is already contained in an imported certificate.
Page 450: Root-Certificate Fingerprint
Usage guidelines You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways: • Use the public-key local create command to generate a key pair. • An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
Page 451 undo root-certificate fingerprint Default No fingerprint is set for verifying the root CA certificate. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters md5: Sets an MD5 fingerprint. sha1: Sets an SHA1 fingerprint. string: Sets the fingerprint in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters.
Page 452: Rule
# Specify an SHA1 fingerprint for verifying the root CA certificate. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 Related commands certificate request mode pki import pki retrieve-certificate rule Use rule to create an access control rule. Use undo rule to remove an access control rule.
Page 453: Source
Examples # Create rule 1 to permit all certificates that match certificate attribute group mygroup. <Sysname> system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup Related commands attribute display pki certificate access-control-policy pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to restore the default.
Page 454: State
<Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 1::8 # Use the IP address of VLAN-interface 1 as the source IP address for PKI protocol packets. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface vlan-interface 1 # Use the IPv6 address of VLAN-interface 1 as the source IPv6 address for PKI protocol packets. <Sysname>...
Page 455 Default No extensions for certificates are specified. A certificate can be used for IKE, SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates. ssl-client: Specifies the SSL client certificate extension so the SSL client can use the certificates.
Page 456: Ipsec Commands
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Page 457: Description
[Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure a description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is configured for an IPsec policy, IPsec policy template, or IPsec profile. Views IPsec policy view IPsec policy template view...
Page 458 mdc-operator Parameters ipv6-policy: Displays information about IPv6 IPsec policies. policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec policies.
Page 459 Outbound ESP setting: ESP SPI: 1500 (0x000005dc) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: ISAKMP ----------------------------- The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Traffic Flow Confidentiality: Enabled Security data flow: Selector mode: standard...
Page 460 ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: 6000 (0x00001770) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 8000 (0x00001f40) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: ISAKMP...
Page 461 AH authentication hex key: Inbound ESP setting: ESP SPI: 1236 (0x000004d4) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: 1237 (0x000004d5) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 1238 (0x000004d6) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key:...
Page 462: Display Ipsec { Ipv6-Policy-Template | Policy-Template
Field Description IKEv2 profile IKEv2 profile used by the IPsec policy. SA duration(time based) Time-based IPsec SA lifetime, in seconds. SA duration(traffic based) Traffic-based IPsec SA lifetime, in kilobytes. SA idle time Idle timeout of the IPsec SA, in seconds. AH string key.
Page 463 If you specify an IPsec policy template name and a sequence number, this command displays information about the specified IPsec policy template entry. If you specify an IPsec policy template name without any sequence number, this command displays information about all IPsec policy template entries with the specified name.
Page 464: Display Ipsec Profile
Table 60 Command output Field Description IPsec Policy Template IPsec policy template name. Sequence number Sequence number of the IPsec policy template entry. Description Description of the IPsec policy template. Traffic Flow Confidentiality Whether Traffic Flow Confidentiality (TFC) padding is enabled. Security data flow ACL used by the IPsec policy template.
Page 465: Display Ipsec Sa
<Sysname> display ipsec profile ----------------------------------------------- IPsec profile: profile Mode: manual ----------------------------------------------- Transform set: prop1 Inbound AH setting: AH SPI: 12345 (0x00003039) AH string-key: AH authentication hex key: ****** Inbound ESP setting: ESP SPI: 23456 (0x00005ba0) ESP string-key: ESP encryption hex-key: ****** ESP authentication hex-key: ****** Outbound AH setting: AH SPI: 12345 (0x00003039)
Page 466 network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs. interface interface-type interface-number: Specifies an interface by its type and number. ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.
Page 467 <Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display detailed information about all IPsec SAs. <Sysname> display ipsec sa ------------------------------- Interface: Vlan-interface100 ------------------------------- ----------------------------- IPsec policy: r2 Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 3 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VRF: vp1 Extended Sequence Numbers enable: Y...
Page 468 ------------------------------- Global IPsec SA ------------------------------- ----------------------------- IPsec profile: profile Mode: Manual ----------------------------- Encapsulation mode: transport [Inbound AH SA] SPI: 1234563 (0x0012d683) Connection ID: 64426789452 Transform set: AH-SHA1 No duration limit for this SA [Outbound AH SA] SPI: 1234563 (0x002d683) Connection ID: 64428999468 Transform set: AH-SHA1 No duration limit for this SA Table 63 Command output...
Page 469: Display Ipsec Statistics
Field Description Path MTU Path MTU of the IPsec SA. Tunnel Local and remote addresses of the IPsec tunnel. local address Local end IP address of the IPsec tunnel. remote address Remote end IP address of the IPsec tunnel. Flow Information about the data flow protected by the IPsec tunnel.
Page 470 Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels. Usage guidelines If you do not specify any parameters, this command displays statistics for all IPsec packets.
Page 471: Display Ipsec Transform-Set
Table 64 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets. Dropped packets (received/sent) Number of dropped IPsec-protected packets (received/sent). No available SA Number of packets dropped due to lack of available IPsec SA. Wrong SA Number of packets dropped due to wrong IPsec SA.
Page 472 Examples # Display information about all IPsec transform sets. <Sysname> display ipsec transform-set IPsec transform set: mytransform State: incomplete Encapsulation mode: tunnel ESN: Enabled PFS: Transform: ESP IPsec transform set: completeTransform State: complete Encapsulation mode: transport ESN: Enabled PFS: Transform: AH-ESP AH protocol: Integrity: SHA1 ESP protocol:...
Page 473: Display Ipsec Tunnel
display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels.
Page 474 Field Description Valid SPI in the outbound direction of the IPsec tunnel. Outbound SPI If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines. Status of the IPsec SA, which can only be Active. Status # Display the number of IPsec tunnels.
Page 475: Encapsulation-Mode
inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL 3100 Table 67 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. IPsec tunnel status, which can only be Active.
Page 476: Esn Enable
Predefined user roles network-admin mdc-admin Parameters transport: Uses the transport mode for IP packet encapsulation. tunnel: Uses the tunnel mode for IP packet encapsulation. Usage guidelines IPsec supports the following encapsulation modes: • Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers.
Page 477: Esp Authentication-Algorithm
mdc-admin Parameters both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number. Usage guidelines The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA.
Page 478: Esp Encryption-Algorithm
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes effect.
Page 479 aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key. aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2. aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.
Page 480: Ike-Profile
ike-profile Use ike-profile to specify an IKE profile for an IPsec policy, IPsec policy template, or IPsec profile. Use undo ike-profile to restore the default. Syntax ike-profile profile-name undo ike-profile Default No IKE profile is specified for an IPsec policy, IPsec policy template, or IPsec profile. Views IPsec policy view IPsec policy template view...
Page 481: Ipsec { Ipv6-Policy | Policy
Default No IKEv2 profile is specified. Views IPsec policy view IPsec policy template view Predefined user roles network-admin mdc-admin Parameters profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used for IKEv2 negotiation.
Page 482: Ipsec { Ipv6-Policy | Policy } Isakmp Template
Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy entry, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation.
Page 483 Views System view Predefined user roles network-admin mdc-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. A smaller number indicates a higher priority.
Page 484 Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies an IPsec policy name, a case-insensitive string of 1 to 63 characters. local-address interface-type interface-number: Specifies the shared source interface by its type and number. Usage guidelines For high availability, two interfaces can operate in backup mode.
Page 485: Ipsec Anti-Replay Check
Parameters ipv6-policy-template: Specifies an IPv6 IPsec policy template. policy-template: Specifies an IPv4 IPsec policy template. template-name: Specifies a name for the IPsec policy template, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy template entry, in the range of 1 to 65535.
Page 486: Ipsec Anti-Replay Window
Usage guidelines IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste. In some situations, service data packets are received in a different order than their original order.
Page 487: Ipsec Apply
[Sysname] ipsec anti-replay window 128 Related commands ipsec anti-replay check ipsec apply Use ipsec apply to apply an IPsec policy to an interface. Use undo ipsec apply to remove an IPsec policy application from an interface. Syntax ipsec apply { ipv6-policy | policy } policy-name undo ipsec apply { ipv6-policy | policy } Default No IPsec policy is applied to an interface.
Page 488: Ipsec Df-Bit
Syntax ipsec decrypt-check enable undo ipsec decrypt-check enable Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy.
Page 489: Ipsec Fragmentation
Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode. This command does not change the DF bit for the original IP header of IPsec packets. If multiple interfaces use an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.
Page 490: Ipsec Global-Df-Bit
Examples # Configure the device to fragment packets after IPsec encapsulation. <Sysname>system-view [Sysname] ipsec fragmentation after-encryption ipsec global-df-bit Use ipsec global-df-bit to configure the DF bit for the outer IP header of IPsec packets on all interfaces. Use undo ipsec global-df-bit to restore the default. Syntax ipsec global-df-bit { clear | copy | set } undo ipsec global-df-bit...
Page 491: Ipsec Logging Packet Enable
Use undo ipsec limit max-tunnel to restore the default. Syntax ipsec limit max-tunnel tunnel-limit undo ipsec limit max-tunnel Default The number of supported IPsec tunnels varies by the device model. Views System view Predefined user roles network-admin mdc-admin Parameters tunnel-limit: Specifies the maximum number of IPsec tunnels, in the range of 1 to 4294967295. Usage guidelines To maximize concurrent performance of IPsec when memory is sufficient, increase the maximum number of IPsec tunnels.
Page 492: Ipsec Profile
failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded. Examples # Enable logging for IPsec packets. <Sysname> system-view [Sysname] ipsec logging packet enable ipsec profile Use ipsec profile to create an IPsec profile and enter its view, or enter the view of an existing IPsec profile.
Page 493: Ipsec Redundancy Enable
[Sysname] ipsec profile profile1 isakmp [Sysname-ipsec-profile-isakmp-profile1] Related commands display ipsec profile ipsec redundancy enable Use ipsec redundancy enable to enable IPsec redundancy. Use undo ipsec redundancy enable to disable IPsec redundancy. Syntax ipsec redundancy enable undo ipsec redundancy enable Default IPsec redundancy is disabled.
Page 494: Ipsec Sa Idle-Time
Default The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes. Views System view Predefined user roles network-admin mdc-admin Parameters time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.
Page 495: Ipsec Transform-Set
Views System view Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds. Usage guidelines This feature applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view, IPsec policy template view, or IPsec profile view, which takes precedence over the global IPsec SA timeout.
Page 496: Local-Address
Examples # Create an IPsec transform set named tran1 and enter its view. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-transform-set-tran1] Related commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address ipv4-address undo local-address...
Page 497: Protocol
Syntax In non-FIPS mode: pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 | dh-group20 } undo pfs In FIPS mode: pfs { dh-group14 | dh-group19 | dh-group20 } undo pfs Default The PFS feature is disabled for the IPsec transform set. Views IPsec transform set view Predefined user roles...
Page 498: Qos Pre-Classify
Use undo protocol to restore the default. Syntax protocol { ah | ah-esp | esp } undo protocol Default The IPsec transform set uses the ESP protocol. Views IPsec transform set view Predefined user roles network-admin mdc-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
Page 499: Redundancy Replay-Interval
Usage guidelines The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets. Examples # Enable the QoS pre-classify feature. <Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] qos pre-classify redundancy replay-interval Use redundancy replay-interval to set the anti-replay window lower bound value synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.
Page 500: Remote-Address
[Sysname] ipsec policy test 1 manual [sysname-ipsec-policy-manual-test-1] redundancy replay-interval inbound 800 outbound 50000 Related commands ipsec anti-replay check ipsec anti-replay window ipsec redundancy enable remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { host-name | ipv4-address } undo remote-address { host-name | ipv4-address }...
Page 501: Reset Ipsec Sa
[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test # Change the IP address for the host test to 2.2.2.2. [Sysname] ip host test 2.2.2.2 In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host. # Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
Page 502: Reset Ipsec Statistics
spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI. • ipv4-address: Specifies a remote IPv4 address. • ipv6 ipv6-address: Specifies a remote IPv6 address. •...
Page 503: Reverse-Route Dynamic
mdc-admin Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics. Examples # Clear IPsec packet statistics. <Sysname>...
Page 504: Reverse-Route Preference
[Sysname-ipsec-policy-isakmp-1-1] reverse-route dynamic [Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. You can see a created static route. (Other information is not shown.) [Sysname] display ip routing-table Destinations : 1 Routes : 1 Destination/Mask Proto Cost NextHop Interface 3.0.0.0/24 Static 60 1.1.1.2 Vlan100 Related commands...
Page 505: Reverse-Route Tag
Related commands ipsec policy ipsec policy-template reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The route tag value is 0 for the static routes created by IPsec RRI.
Page 506: Sa Hex-Key Authentication
undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy, IPsec policy template, or IPsec profile is the current global SA lifetime. Views IPsec policy view IPsec policy template view IPsec profile view Predefined user roles network-admin mdc-admin Parameters...
Page 507 undo sa hex-key authentication { inbound | outbound } { ah | esp } Default No hexadecimal authentication keys are configured for manual IPsec SAs. Views IPsec policy view IPsec profile view Predefined user roles network-admin mdc-admin Parameters inbound: Specifies a hexadecimal authentication key for the inbound SA. outbound: Specifies a hexadecimal authentication key for the outbound SA.
Page 508: Sa Hex-Key Encryption
sa string-key sa hex-key encryption Use sa encryption-hex to configure an encryption key for a manual IPsec SA. Use undo sa encryption-hex to delete an encryption key for a manual IPsec SA. Syntax sa hex-key encryption { inbound | outbound } esp { cipher | simple } string undo sa hex-key encryption { inbound | outbound } esp Default No hexadecimal encryption keys are configured for manual IPsec SAs.
Page 509: Sa Idle-Time
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel. If you execute this command multiple times for the same direction, the most recent configuration takes effect.
Page 510: Sa Spi
Examples # Set the IPsec SA idle timeout to 600 seconds for IPsec policy map. <Sysname> system-view [Sysname] ipsec policy map 100 isakmp [Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600 Related commands display ipsec sa ipsec sa idle-time sa spi Use sa spi to configure an SPI for IPsec SAs. Use undo sa spi to remove the SPI.
Page 511: Sa String-Key
area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP4+, the scope consists of BGP4+ peers or a BGP4+ peer group. Examples # Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.
Page 512: Security Acl
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA. The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format).
Page 513 mdc-admin Parameters acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode.
Page 514: Snmp-Agent Trap Enable Ipsec
snmp-agent trap enable ipsec Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec. Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec. Syntax snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] * undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global |...
Page 515: Tfc Enable
[Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start tfc enable Use tfc enable to enable Traffic Flow Confidentiality (TFC) padding. Use undo tfc enable to disable TFC padding. Syntax tfc enable undo tfc enable...
Page 516 Default No IPsec transform set is specified for an IPsec policy, IPsec policy template, or IPsec profile. Views IPsec policy view IPsec policy template view IPsec profile view Predefined user roles network-admin mdc-admin Parameters transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters.
Page 517: Ike Commands
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. aaa authorization Use aaa authorization to enable IKE AAA authorization.
Page 518: Authentication-Algorithm
Examples # Create IKE profile profile1. <Sysname> system-view [Sysname] ike profile profile1 # Enable AAA authorization. Specify ISP domain abc and username test. [Sysname-ike-profile-profile1] aaa authorization domain abc username test authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
Page 519: Authentication-Method
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles...
Page 520 Use undo certificate domain to remove a PKI domain for signature authentication. Syntax certificate domain domain-name undo certificate domain domain-name Default No PKI domains are specified for signature authentication. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. Usage guidelines You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.
Page 521: Client-Authentication
client-authentication Use client-authentication to enable client authentication. Use undo client-authentication to disable client authentication. Syntax client-authentication xauth undo client-authentication Default Client authentication is disabled. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters xauth: Uses Extended Authentication within ISAKMP/Oakley (XAUTH) for authentication. Usage guidelines Client authentication enables an IPsec gateway to authenticate remote users through a RADIUS server in IKE negotiation.
Page 522 Predefined user roles network-admin mdc-admin Parameters text: Specifies the description, a case-sensitive string of 1 to 80 characters. Usage guidelines When multiple IKE proposals exist, you configure different descriptions for them to distinguish them. Examples # Configure a description of test for IKE proposal 1. <Sysname>...
Page 523: Display Ike Proposal
Usage guidelines A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network. Examples # Specify the 2048-bit Diffie-Hellman group group1 to be used for key negotiation in IKE phase 1 in IKE proposal 1.
Page 524: Display Ike Sa
Field Description Authentication algorithm used in the IKE proposal: • MD5—HMAC-MD5 algorithm. • SHA1—HMAC-SHA1 algorithm. Authentication algorithm • SHA256—HMAC-SHA256 algorithm. • SHA384—HMAC-SHA384 algorithm. • SHA512—HMAC-SHA512 algorithm. Encryption algorithm used by the IKE proposal: • 3DES-CBC—168-bit 3DES algorithm in CBC mode. •...
Page 525 Usage guidelines If you do not specify any parameters, this command displays summary information about all IKE SAs. Examples # Display summary information about all IKE SAs. <Sysname> display ike sa Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY Table 69 Command output Field Description...
Page 526 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Enabled Assigned IP address: 192.168.2.1 # Display detailed information about the IKE SA with a remote address of 4.4.4.5. <Sysname> display ike sa verbose remote-address 4.4.4.5 --------------------------------------------- Connection ID: 2 Outside VPN:...
Page 527: Display Ike Statistics
Field Description Role of the IKE negotiation entity: Initiator or Responder. Transmitting entity Local IP IP address of the local gateway. Local ID type Identifier type of the local gateway. Local ID Identifier of the local gateway. Remote IP IP address of the remote gateway. Remote ID type Identifier type of the remote gateway.
Page 528: Dpd
mdc-operator Examples # Display IKE statistics. <Sysname> display ike statistics IKE statistics: No matching proposal: 0 Invalid ID information: 0 Unavailable certificate: 0 Unsupported DOI: 0 Unsupported situation: 0 Invalid proposal syntax: 0 Invalid SPI: 0 Invalid protocol ID: 0 Invalid certificate: 0 Authentication failure: 0 Invalid flags: 0...
Page 529: Encryption-Algorithm
Predefined user roles network-admin mdc-admin Parameters interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds. retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.
Page 530: Exchange-Mode
Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters 3des-cbc: Specifies the 3DES algorithm in CBC mode. The 3DES algorithm uses a 168-bit key for encryption. aes-cbc-128: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 128-bit key for encryption.
Page 531: Ike Address-Group
Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines As a best practice, specify the aggressive mode at the local end if the following conditions are met: • The local end, for example, a dialup user, obtains an IP address automatically. •...
Page 532: Ike Dpd
Examples # Configure an IKE IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask 255.255.255.0. <Sysname> system-view [Sysname] ike address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0 # Configure an IKE IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask length 32.
Page 533: Ike Identity
Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. <Sysname> system-view [Sysname] ike dpd interval 10 retry 5 on-demand Related commands ike identity Use ike identity to specify the global identity used by the local end during IKE negotiations. Use undo ike identity to restore the default.
Page 534: Ike Invalid-Spi-Recovery Enable
Examples # Specify IP address 2.2.2.2 as the identity. <sysname> system-view [sysname] ike identity address 2.2.2.2 Related commands local-identity ike signature-identity from-certificate ike invalid-spi-recovery enable Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ike invalid-spi-recovery enable to disable invalid SPI recovery. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable...
Page 535: Ike Keepalive Timeout
Syntax ike keepalive interval interval undo ike keepalive interval Default No IKE keepalives are sent. Views System view Predefined user roles network-admin mdc-admin Parameters interval: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure IKE DPD instead of the IKE keepalive feature, unless IKE DPD is not supported on the peer.
Page 536: Ike Keychain
Parameters seconds: Specifies the number of seconds between IKE keepalives. The value range for this argument is 20 to 28800. Usage guidelines If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Page 537: Ike Limit
[Sysname] ike keychain key1 [Sysname-ike-keychain-key1] Related commands authentication-method pre-shared-key ike limit Use ike limit to set the maximum number of half-open or established IKE SAs. Use undo ike limit to restore the default. Syntax ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit } undo ike limit { max-negotiating-sa | max-sa } Default There is no limit to the maximum number of half-open or established IKE SAs.
Page 538: Ike Profile
Use undo ike nat-keepalive to restore the default. Syntax ike nat-keepalive seconds undo ike nat-keepalive Default The NAT keepalive interval is 20 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Usage guidelines This command takes effect only for a device that resides in the private network behind a NAT gateway.
Page 539: Ike Proposal
Examples # Create IKE profile 1 and enter its view. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] ike proposal Use ike proposal to create an IKE proposal and enter its view, or enter the view of an existing IKE proposal. Use undo ike proposal to delete an IKE proposal.
Page 540: Ike Signature-Identity From-Certificate
<Sysname> system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] Related commands display ike proposal ike signature-identity from-certificate Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication. Use undo ike signature-identity from-certificate to restore the default. Syntax ike signature-identity from-certificate undo ike signature-identity from-certificate...
Page 541: Keychain
Syntax inside-vpn vpn-instance vpn-instance-name undo inside-vpn Default No inside VPN instance is specified for an IKE profile. The device forwards protected data to the VPN instance where the interface that receives the data resides. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters...
Page 542: Local-Identity
Usage guidelines You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. Examples # Specify IKE keychain abc for IKE profile 1. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] keychain abc Related commands ike keychain...
Page 543: Match Local Address (Ike Keychain View)
The initiator uses the local ID to identify itself to the responder. The responder compares the initiator's ID with the peer IDs configured by the match remote command to look for a matching IKE profile. An IKE profile can have only one local ID. An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.
Page 544: Match Local Address (Ike Profile View)
You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you specified IKE keychain A before specifying IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE keychain A and the peer ID 2.2.2.0/24 for IKE keychain B.
Page 545: Match Remote
An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a higher priority, you can configure this command for the profile. For example, suppose you configured IKE profile A before configuring IKE profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKE profile B.
Page 546: Pre-Shared-Key
address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching. The prefix-length argument is in the range of 0 to 128. • address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching.
Page 547 pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher string ] undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } Default No pre-shared key is configured.
Page 548: Priority (Ike Keychain View)
[Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&! Related commands authentication-method keychain priority (IKE keychain view) Use priority to specify a priority for an IKE keychain. Use undo priority to restore the default. Syntax priority priority undo priority Default The priority of an IKE keychain is 100. Views IKE keychain view Predefined user roles...
Page 549: Proposal
Default The priority of an IKE profile is 100. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters priority priority: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number.
Page 550: Reset Ike Sa
Examples # Specify IKE proposal 10 for IKE profile prof1. <Sysname> system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] proposal 10 Related commands ike proposal reset ike sa Use reset ike sa to delete IKE SAs. Syntax reset ike sa [ connection-id connection-id ] Views User view Predefined user roles...
Page 551: Reset Ike Statistics
reset ike statistics Use reset ike statistics command to clear IKE MIB statistics. Syntax reset ike statistics Views User view Predefined user roles network-admin mdc-admin Examples # Clears IKE MIB statistics. <Sysname> reset ike statistics Related commands snmp-agent trap enable ike sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal.
Page 552: Snmp-Agent Trap Enable Ike
[Sysname-ike-proposal-1] sa duration 600 Related commands display ike proposal snmp-agent trap enable ike Use snmp-agent trap enable ike command to enable SNMP notifications for IKE. Use undo snmp-agent trap enable ike to disable SNMP notifications for IKE. Syntax snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *...
Page 553 tunnel-stop: Specifies notifications about events of deleting IKE tunnels. unsupport-exch-type: Specifies notifications about negotiation-type-unsupported failures. Usage guidelines If you do not specify any keywords, this command enables or disables all SNMP notifications for IKE. To generate and output SNMP notifications for a specific IKE failure type or event type, perform the following tasks: Enable SNMP notifications for IKE globally.
Page 554: Ikev2 Commands
IKEv2 commands aaa authorization Use aaa authorization to enable IKEv2 AAA authorization. Use undo aaa authorization to disable IKEv2 AAA authorization. Syntax aaa authorization domain domain-name username user-name undo aaa authorization Default IKEv2 AAA authorization is disabled. Views IKEv2 profile view Predefined user roles network-admin mdc-admin...
Page 555: Address
# Enable AAA authorization. Specify ISP domain name abc and username test. [Sysname-ikev2-profile-profile1] aaa authorization domain abc username test Related commands display ikev2 profile address Use address to specify the IP address or IP address range of an IKEv2 peer. Use undo address to restore the default.
Page 556: Authentication-Method
authentication-method Use authentication-method to specify the local or remote identity authentication method. Use undo authentication-method to remove the local or remote identity authentication method. Syntax authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature } undo authentication-method local undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature }...
Page 557: Certificate Domain
[Sysname-ikev2-profile-profile1] authentication remote rsa-signature # Specify PKI domain genl as the PKI domain for obtaining certificates. [Sysname-ikev2-profile-profile1] certificate domain genl # Specify IKEv2 keychain keychain1. [Sysname-ikev2-profile-profile1] keychain keychain1 Related commands display ikev2 profile certificate domain (IKEv2 profile view) keychain (IKEv2 profile view) certificate domain Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.
Page 558: Config-Exchange
# Specify PKI domain abc for signature. Specify PKI domain def for verification. [Sysname-ikev2-profile-profile1] certificate domain abc sign [Sysname-ikev2-profile-profile1] certificate domain def verify Related commands authentication-method pki domain config-exchange Use config-exchange to enable configuration exchange. Use undo config-exchange to disable configuration exchange. Syntax config-exchange { request | set { accept | send } } undo config-exchange { request | set { accept | send } }...
Page 559 # Enable the local end to add the configuration request payload to the request message of IKE_AUTH exchange. [Sysname-ikev2-profile-profile1] config-exchange request Related commands aaa authorization display ikev2 profile Use dh to specify DH groups to be used in IKEv2 key negotiation. Use undo group to restore the default.
Page 560: Display Ikev2 Policy
Examples # Specify DH group 1 for IKEv2 proposal 1. <Sysname> system-view [Sysname] ikev2 proposal 1 [Sysname-ikev2-proposal-1] dh group1 Related commands ikev2 proposal display ikev2 policy Use display ikev2 policy to display the IKEv2 policy configuration. Syntax display ikev2 policy [ policy-name | default ] Views Any view Predefined user roles...
Page 561: Display Ikev2 Profile
Field Description Match local address IPv4 address to which the IKEv2 policy can be applied. Match local address ipv6 IPv6 address to which the IKEv2 policy can be applied. Match VRF VPN instance to which the IKEv2 policy can be applied. Proposal IKEv2 proposal that the IKEv2 policy uses.
Page 562: Display Ikev2 Proposal
Domain2 SA duration: 500 DPD: Interval 32, retry 23, periodic Config exchange: Request, Set send, Set accept NAT keepalive: 10 AAA authorization: Domain domain1, username ikev2 Table 72 Command output Field Description IKEv2 profile Name of the IKEv2 profile. Priority Priority of the IKEv2 profile.
Page 563 Syntax display ikev2 proposal [ name | default ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters. default: Specifies the default IKEv2 proposal. Usage guidelines This command displays IKEv2 proposals in descending order of priorities.
Page 564: Display Ikev2 Sa
display ikev2 sa Use display ikev2 sa to display the IKEv2 SA information. Syntax display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ] Views Any view Predefined user roles...
Page 565 1.1.1.1/500 1.1.1.2/500 Status: IN-NEGO: Negotiating, EST: Established, DEL: Deleting Table 74 Command output Field Description Tunnel ID ID of the IPsec tunnel to which the IKEv2 SA belongs. Local Local IP address of the IKEv2 SA. Remote Remote IP address of the IKEv2 SA. Status of the IKEv2 SA: •...
Page 566 Remote next message ID: 0 Pushed IP address: 192.168.1.5 Assigned IP address: 192.168.2.24 # Display detailed IKEv2 SA information for the remote IP address 1.1.1.2. <Sysname> display ikev2 sa remote 1.1.1.2 verbose Tunnel ID: 1 Local IP/Port: 1.1.1.1/500 Remote IP/Port: 1.1.1.2/500 Outside VRF: - Inside VRF: - Local SPI: 8f8af3dbf5023a00...
Page 567 Field Description Remote IP/Port IP address and port number of the remote security gateway. Name of the VPN instance to which the protected outbound data flow belongs. Outside VRF If the protected outbound data flow belongs to the public network, this field displays a hyphen (-). Name of the VPN instance to which the protected inbound data flow belongs.
Page 568: Display Ikev2 Statistics
# Display the number of IKEv2 SAs. [Sysname-probe] display ikev2 sa count IKEv2 SAs count: 0 display ikev2 statistics Use display ikev2 statistics to display IKEv2 statistics. Syntax display ikev2 statistics Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display IKEv2 statistics.
Page 569: Dpd
Related commands reset ikev2 statistics Use dpd to configure IKEv2 DPD. Use undo dpd to disable IKEv2 DPD. Syntax dpd interval interval [ retry seconds ] { on-demand | periodic } undo dpd interval Default IKEv2 DPD is disabled. The global IKEv2 DPD settings are used. Views IKEv2 profile view Predefined user roles...
Page 570 Syntax In non-FIPS mode: encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } * undo encryption In FIPS mode: encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } * undo encryption Default No encryption algorithm is specified for an IKEv2 proposal.
Page 571: Hostname
hostname Use hostname to specify the host name of an IKEv2 peer. Use undo hostname to restore the default. Syntax hostname name undo hostname Default The IKEv2 peer's host name is not specified. Views IKEv2 peer view Predefined user roles network-admin mdc-admin Parameters...
Page 572: Identity Local
Views IKEv2 peer view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the peer. ipv6 ipv6-address: Specifies the IPv6 address of the peer. fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
Page 573: Ikev2 Address-Group
Views IKEv2 profile view Predefined user roles network-admin mdc-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID. dn: Uses the DN in the local certificate as the local ID. email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
Page 574: Ikev2 Cookie-Challenge
Parameters group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters. start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.
Page 575: Ikev2 Dpd
responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation. This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.
Page 576: Ikev2 Ipv6-Address-Group
[Sysname] ikev2 dpd interval 15 on-demand # Configure the device to trigger IKEv2 DPD every 15 seconds. <Sysname> system-view [Sysname] ikev2 dpd interval 15 periodic Related commands dpd (IKEv2 profile view) ikev2 ipv6-address-group Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6 addresses to remote peers.
Page 577: Ikev2 Keychain
ikev2 keychain Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing IKEv2 keychain. Use undo ikev2 keychain to delete an IKEv2 keychain. Syntax ikev2 keychain keychain-name undo ikev2 keychain keychain-name Default No IKEv2 keychains exist.
Page 578: Ikev2 Policy
mdc-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600. Usage guidelines This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
Page 579: Ikev2 Profile
If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the default IKEv2 policy, nor modify it. Examples # Create an IKEv2 policy named policy1 and enter IKEv2 policy view. <Sysname> system-view [Sysname] ikev2 policy policy1 [Sysname-ikev2-policy-policy1] Related commands...
Page 580 Use undo ikev2 proposal to delete an IKEv2 proposal. Syntax ikev2 proposal proposal-name undo ikev2 proposal proposal-name Default An IKEv2 proposal named default exists, which has the lowest priority and uses the following settings: • In non-FIPS mode: Encryption algorithm—AES-CBC-128 and 3DES. ...
Page 581: Inside-Vrf
Related commands encryption-algorithm integrity inside-vrf Use inside-vrf to specify an inside VPN instance. Use undo inside-vrf to restore the default. Syntax inside-vrf vrf-name undo inside-vrf Default No inside VPN instance is specified. The internal and external networks are in the same VPN instance.
Page 582: Keychain
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } * undo integrity In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * undo integrity Default No integrity protection algorithm is specified for an IKEv2 proposal. Views IKEv2 proposal view Predefined user roles...
Page 583: Match Local (Ikev2 Profile View)
Default No IKEv2 keychain is specified for an IKEv2 profile. Views IKEv2 profile view Predefined user roles network-admin mdc-admin Parameters keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-). Usage guidelines An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication.
Page 584: Match Local Address (Ikev2 Policy View)
Parameters address: Specifies a local interface or IP address to which an IKEv2 profile can be applied. interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Page 585: Match Remote
mdc-admin Parameters interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. Usage guidelines IKEv2 policies with this command configured are looked up before those that do not have this command configured.
Page 586: Match Vrf (Ikev2 Policy View)
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32. • address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching.
Page 587: Match Vrf (Ikev2 Profile View)
Default No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network. Views IKEv2 policy view Predefined user roles network-admin mdc-admin Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances.
Page 588: Nat-Keepalive
Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances. Usage guidelines If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation.
Page 589: Peer
# Set the NAT keepalive interval to 1200 seconds. [Sysname-ikev2-profile-profile1]nat-keepalive 1200 Related commands display ikev2 profile ikev2 nat-keepalive peer Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer. Use undo peer to delete an IKEv2 peer. Syntax peer name undo peer name...
Page 590: Pre-Shared-Key
pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to delete a pre-shared key. Syntax pre-shared-key [ local | remote ] { ciphertext | plaintext } string undo pre-shared-key [ local | remote ] Default No pre-shared key exists. Views IKEv2 peer view Predefined user roles...
Page 591: Prf
# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-a and the key for certificate authentication is 111-key-b. [Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a [Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b • On the responder: # Create an IKEv2 keychain named telecom. <Sysname>...
Page 592: Priority (Ikev2 Policy View)
Parameters aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm. md5: Uses the HMAC-MD5 algorithm. sha1: Uses the HMAC-SHA1 algorithm. sha256: Uses the HMAC-SHA256 algorithm. sha384: Uses the HMAC-SHA384 algorithm. sha512: Uses the HMAC-SHA512 algorithm. Usage guidelines You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Page 593: Priority (Ikev2 Profile View)
<Sysname> system-view [Sysname] ikev2 policy policy1 [Sysname-ikev2-policy-policy1] priority 10 Related commands display ikev2 policy priority (IKEv2 profile view) Use priority to set a priority for an IKEv2 profile. Use undo priority to restore the default. Syntax priority priority undo priority Default The priority of an IKEv2 profile is 100.
Page 594: Reset Ikev2 Sa
Views IKEv2 policy view Predefined user roles network-admin mdc-admin Parameters proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
Page 595: Reset Ikev2 Statistics
fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers' responses. If you do not specify this keyword, the device notifies the peers of the deletion and deletes IKEv2 SAs after it receives the peers' responses. Usage guidelines Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.
Page 596: Sa Duration
sa duration Use sa duration to set the IKEv2 SA lifetime. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKEv2 SA lifetime is 86400 seconds. Views IKEv2 profile view Predefined user roles network-admin mdc-admin Parameters...
Page 597: Ssh Commands
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 598: Display Ssh User-Information
Field Description SSH authentication-timeout Authentication timeout timer. SSH server key generating interval Minimum interval for updating the RSA server key pair. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer.
Page 599: Free Ssh
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If you do not specify an SSH user, this command displays information about all SSH users. Usage guidelines This command displays information only about SSH users that are configured by using the ssh user command on the SSH server.
Page 600: Scp Server Enable
Syntax free ssh { user-ip { ip-address | ipv6 ipv6-address } [ port port-number ] | user-pid pid-number | username username } Views User view Predefined user roles network-admin mdc-admin Parameters user-ip: Specifies the user IP address of the SSH sessions to be disconnected. ip-address: Specifies the user IPv4 address of the SSH sessions to be disconnected.
Page 601: Sftp Server Enable
Default The SCP server is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable the SCP server. <Sysname> system-view [Sysname] scp server enable Related commands display ssh server sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to disable the SFTP server.
Page 602: Ssh Server Acl
undo sftp server idle-timeout Default The idle timeout timer is 10 minutes for SFTP connections. Views System view Predefined user roles network-admin mdc-admin Parameters time-out-value: Specifies an idle timeout timer in the range of 1 to 35791 minutes. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
Page 603: Ssh Server Acl-Deny-Log Enable
Usage guidelines The ACL specified in this command filters IPv4 SSH clients' connection requests. Only the IPv4 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv4 SSH clients can access the device. The ACL takes effect only on SSH connections that are initiated after the ACL configuration.
Page 604: Ssh Server Authentication-Retries
Related commands ssh server acl ssh server ipv6 acl ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries retries undo ssh server authentication-retries Default The maximum number of authentication attempts is 3 for SSH users.
Page 605: Ssh Server Authentication-Timeout
ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default. Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The SSH user authentication timeout timer is 60 seconds. Views System view Predefined user roles...
Page 606: Ssh Server Dscp
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command is not available in FIPS mode. The undo form of this command restores the default setting whether you specify the enable keyword or not. This configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
Page 607: Ssh Server Enable
[Sysname] ssh server dscp 30 ssh server enable Use ssh server enable to enable the Stelnet server. Use undo ssh server enable to disable the Stelnet server. Syntax ssh server enable undo ssh server enable Default The Stelnet server is disabled. Views System view Predefined user roles...
Page 608: Ssh Server Ipv6 Dscp
mac mac-acl-number: Specifies a Layer 2 ACL by its number in the range of 4000 to 4999. Usage guidelines The ACL specified in this command filters IPv6 SSH clients' connection requests. Only the IPv6 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv6 SSH clients can access the device.
Page 609: Ssh Server Pki-Domain
ssh server pki-domain Use ssh server pki-domain to specify a PKI domain for an SSH server. Use undo ssh server pki-domain to restore the default. Syntax ssh server pki-domain domain-name undo ssh server pki-domain Default No PKI domain is specified for an SSH server. Views System view Predefined user roles...
Page 610: Ssh Server Rekey-Interval
Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a port number in the range of 1 to 65535. Usage guidelines If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification.
Page 611: Ssh User
The system starts to count down the configured minimum update interval after the first SSH1 user logs in to the server. If a new SSH1 user logs in to the server after the interval, the system performs the following operations: Updates the RSA server key pair.
Page 612 • scp: Specifies the service type SCP. • sftp: Specifies the service type SFTP. • stelnet: Specifies the service type Stelnet. • netconf: Specifies the service type NETCONF. authentication-type: Specifies an authentication method for the SSH user. • password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable.
Page 613: Ssh Client Commands
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user. For an SFTP or SCP user, the working directory depends on the authentication method. • If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view.
Page 614: Cdup
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command has the same function as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working directory on the SFTP server. Syntax cd [ remote-path ] Views...
Page 615: Delete
Predefined user roles network-admin mdc-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp>...
Page 616: Dir
Predefined user roles network-admin mdc-admin Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be deleted. If you do not specify a server IP address, this command deletes the public keys of all servers from the client's public key file.
Page 617: Display Sftp Client Source
-rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx 301 Dec 18 14:12 012.pub # Display detailed information about the files and subdirectories under the current directory, excluding the files and subdirectories with names starting with dots (.). sftp>...
Page 618 mdc-operator Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be displayed. If you do not specify a server IP address, this command displays the public keys of all servers saved in the client's public key file. Usage guidelines When a user connects to an unauthenticated server and selects to save the server's public key, the server public key will be saved to the public key file.
Page 619: Display Ssh Client Source
Field Description Type of the public key: • dsa—DSA public key. • ecdsa-sha2-nistp256—256-bit ECDSA public key created by using Key type the secp256r1 curve. • ecdsa-sha2-nistp384—384-bit ECDSA public key created by using the secp384r1 curve. • rsa—RSA public key. Key length Length of the public key, in bits.
Page 620: Get
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and quit commands. Examples # Terminate the SFTP connection. sftp> exit <Sysname> Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view...
Page 621 Usage guidelines This command has the same function as entering the question mark (?). Examples # Display help information on the SFTP client. sftp> help Available commands: Quit sftp cd [path] Change remote directory to 'path' cdup Change remote directory to the parent directory delete path Delete remote file dir [-a|-l][path]...
Page 622: Mkdir
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays information about the files and subdirectories under the current working directory. Usage guidelines If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
Page 623: Pwd
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file. Examples # Upload the local file startup.bak to the SFTP server and save it as startup01.bak.
Page 624: Remove
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and exit commands. Examples # Terminate the SFTP connection. sftp> quit <Sysname> remove Use remove to delete a file from the SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin...
Page 625: Rmdir
Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp> dir aa.pub temp1.c sftp> rename temp1.c temp2.c sftp> dir aa.pub temp2.c rmdir Use rmdir to delete a directory from the SFTP server. Syntax rmdir remote-path Views SFTP client view...
Page 626 sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ip ip-address } ] * [ user username [ password password ] ] Views...
Page 627 • 3des-cbc: Specifies the encryption algorithm 3des-cbc. • aes128-cbc: Specifies the encryption algorithm aes128-cbc. • aes128-ctr: Specifies the encryption algorithm aes128-ctr. • aes128-gcm: Specifies the encryption algorithm aes128-gcm. • aes192-ctr: Specifies the encryption algorithm aes192-ctr. • aes256-cbc: Specifies the encryption algorithm aes256-cbc. •...
Page 628: Scp Ipv6
user username: Specifies an SCP username, a case-sensitive string of 1 to 80 characters. If the username contains an ISP domain name, use the pureusername@domain format. The pureusername argument is a string of 1 to 55 characters. The domain argument is a string of 1 to 24 characters.
Page 629 scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex...
Page 630 public key algorithm is used, you must specify this option for the client to get the correct local certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib.
Page 631: Scp Ipv6 Suite-B
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (<...
Page 632 pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
Page 633: Scp Suite-B
• interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets. • ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines Table 81 Suite B algorithms Security Key exchange Encryption algorithm...
Page 634 source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters. destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
Page 635: Sftp
sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |...
Page 636 • x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256. • x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384. • pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
Page 637: Sftp Client Ipv6 Source
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword). dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48.
Page 638: Sftp Client Source
Default The source IPv6 address for SFTP packets is not configured. The SFTP client automatically selects an IPv6 address for SFTP packets in compliance with RFC 3484. Views System view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the longest-matching IPv6 address of the specified interface as their source address.
Page 639: Sftp Ipv6
Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the primary IPv4 address of the interface as their source address. ip ip-address: Specifies a source IPv4 address. Usage guidelines This command takes effect on all SFTP connections. The source IPv4 address specified in the sftp command takes effect only on the current SFTP connection.
Page 640 mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
Page 641 • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. • sha2-256: Specifies the HMAC algorithm hmac-sha2-256. • sha2-512: Specifies the HMAC algorithm hmac-sha2-512. prefer-kex: Specifies the preferred key exchange algorithm.
Page 642: Sftp Ipv6 Suite-B
• Preferred key exchange algorithm: dh-group14-sha1. • Preferred server-to-client encryption algorithm: aes128-cbc. • Preferred client-to-server HMAC algorithm: sha1. • Preferred server-to-client HMAC algorithm: sha1-96. • Preferred compression algorithm: zlib. <Sysname> sftp ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey Username: sftp ipv6 suite-b Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms...
Page 643: Sftp Suite-B
server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets.
Page 644 Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Page 645: Ssh Client Ipv6 Source
Examples # Use the 128-bit Suite B algorithms to establish a connection to SFTP server 10.1.1.2. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. <Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username ssh client ipv6 source Use ssh client ipv6 source to configure the source IPv6 address for SSH packets that are sent by...
Page 646: Ssh Client Source
ssh client source Use ssh client source to configure the source IPv4 address for SSH packets that are sent by the Stelnet client. Use undo ssh client source to restore the default. Syntax ssh client source { interface interface-type interface-number | ip ip-address } undo ssh client source Default The source IPv4 address for SSH packets is not configured.
Page 647 sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ip ip-address } ] * In FIPS mode:...
Page 648 prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time. • 3des-cbc: Specifies the encryption algorithm 3des-cbc. •...
Page 649: Ssh2 Ipv6
characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). source: Specifies a source IPv4 address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SSH packets.
Page 650 prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6 ipv6-address } ] * In FIPS mode:...
Page 651 prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time.
Page 652: Ssh2 Ipv6 Suite-B
public-key keyname: Specifies the server by its host public key that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters.
Page 653 domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
Page 654: Ssh2 Suite-B
Usage guidelines Table 85 Suite B algorithms Security Key exchange Encryption algorithm Public key algorithm level algorithm and HMAC algorithm x509v3-ecdsa-sha2-nistp256 128-bit ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp384 192-bit ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp256 Both ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
Page 655 suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 128-bit: Specifies the 128-bit Suite B security level. 192-bit: Specifies the 192-bit Suite B security level.
Page 656: Ssh2 Commands
Examples # Use the 128-bit Suite B algorithms to establish a connection to Stelnet server 3.3.3.3. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. <Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username SSH2 commands display ssh2 algorithm...
Page 657: Ssh2 Algorithm Cipher
ssh2 algorithm key-exchange ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm cipher Use ssh2 algorithm cipher to specify encryption algorithms for SSH2. Use undo ssh2 algorithm cipher to restore the default. Syntax In non-FIPS mode: ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } * undo ssh2 algorithm cipher In FIPS mode:...
Page 658: Ssh2 Algorithm Key-Exchange
<Sysname> system-view [Sysname] ssh2 algorithm cipher aes256-cbc Related commands display ssh2 algorithm ssh2 algorithm key-exchange ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm key-exchange Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2. Use undo ssh2 algorithm key-exchange to restore the default. Syntax In non-FIPS mode: ssh2...
Page 659: Ssh2 Algorithm Mac
<Sysname> system-view [Sysname] ssh2 algorithm key-exchange dh-group1-sha1 Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm mac Use ssh2 algorithm mac to specify MAC algorithms for SSH2. Use undo ssh2 algorithm mac to restore the default. Syntax In non-FIPS mode: ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *...
Page 660: Ssh2 Algorithm Public-Key
Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm key-exchange ssh2 algorithm public-key ssh2 algorithm public-key Use ssh2 algorithm public-key to specify public key algorithms for SSH2. Use undo ssh2 algorithm public-key to restore the default. Syntax In non-FIPS mode: ssh2 algorithm public-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } * undo ssh2 algorithm public-key...
Page 661 Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm key-exchange ssh2 algorithm mac...
Page 662: Ssl Commands
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Page 663 ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256. ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
Page 664: Client-Verify
• Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA. After the SSL server receives a cipher suite from a client, the server matches the received cipher suite against the cipher suits it supports.
Page 665: Display Crypto Version
Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication. • If an SSL client submits its certificate to the SSL server, the server authenticates the client identity. The client must pass authentication to access the server. •...
Page 666: Display Ssl Client-Policy
Examples # Display cryptographic library version information. <Sysname> display crypto version 7.1.1.1.1.57 Table 88 Command output Field Description Cryptographic library version information, in the 7.1.X format: • 7.1.1.1.1.57 The 7.1 segment represents Comware 700R001. • The X segment represents the cryptographic library version. display ssl client-policy Use display ssl client-policy to display SSL client policy information.
Page 667: Display Ssl Server-Policy
display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.
Page 668: Pki-Domain (Ssl Server Policy View)
Default No PKI domain is specified for an SSL client policy. Views SSL client policy view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
Page 669: Prefer-Cipher
Examples # Specify PKI domain server-domain for SSL server policy policy1. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain Related commands display ssl server-policy pki domain prefer-cipher Use prefer-cipher to specify a preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default.
Page 670 dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
Page 671: Server-Verify Enable
• Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key. • Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity.
Page 672: Session
Examples # Enable the SSL client to use digital certificates to authenticate the SSL server. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable Related commands display ssl client-policy session Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for cached sessions.
Page 673: Ssl Client-Policy
ssl client-policy Use ssl client-policy to create an SSL client policy and enter its view, or enter the view of an existing SSL client policy. Use undo ssl client-policy to delete an SSL client policy. Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policies exist.
Page 674: Ssl Server-Policy
Predefined user roles network-admin mdc-admin Usage guidelines The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake. Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks.
Page 675: Ssl Version Disable
ssl version disable Use ssl version disable to disable the SSL server from using specific SSL protocol versions for session negotiation. Use undo ssl version disable restore the default. Syntax In non-FIPS mode: ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable In FIPS mode: ssl version { tls1.0 | tls1.1 } * disable...
Page 676 version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } undo version In FIPS mode: version { tls1.0 | tls1.1 | tls1.2 } undo version Default An SSL client policy uses SSL protocol version TLS 1.0. Views SSL client policy view Predefined user roles network-admin mdc-admin...
Page 677: Attack Detection And Prevention Commands
Attack detection and prevention commands ack-flood action Use ack-flood action to specify global actions against ACK flood attacks. Use undo ack-flood action to restore the default. Syntax ack-flood action { drop | logging } * undo ack-flood action Default No global action is specified for ACK flood attacks. Views Attack defense policy view Predefined user roles...
Page 678: Ack-Flood Detect Non-Specific
Default IP address-specific ACK flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 679: Ack-Flood Threshold
Syntax ack-flood detect non-specific undo ack-flood detect non-specific Default Global ACK flood attack detection is disabled. Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command.
Page 680: Attack-Defense Local Apply Policy
Usage guidelines With global ACK flood attack detection configured, the device is in attack detection state. When the sending rate of ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Page 681: Attack-Defense Login Block-Timeout
Each device can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect. Examples # Apply attack defense policy atk-policy-1 to the device. <Sysname> system-view [Sysname] attack-defense local apply policy atk-policy-1 Related commands attack-defense policy display attack-defense policy...
Page 682: Attack-Defense Login Max-Attempt
undo attack-defense login enable Default Login attack prevention is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period. For login attack prevention to take effect, you must enable the global blacklist feature.
Page 683: Attack-Defense Login Reauthentication-Delay
The login failure counter for a user is reset after the user logs in successfully. If the device reboots, all login failure counters are reset. Examples # Set the maximum number of successive login failures to five. <Sysname> system-view [Sysname] attack-defense login max-attempt 5 Related commands attack-defense login enable attack-defense login reauthentication-delay...
Page 684: Attack-Defense Signature Log Non-Aggregate
undo attack-defense policy policy-name Default No attack defense policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Page 685: Attack-Defense Tcp Fragment Enable
• Source and destination IP addresses. • VPN instance to which the victim IP address belongs. As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. Examples # Enable log non-aggregation for single-packet attack events. <Sysname>...
Page 686: Blacklist Ip
Syntax blacklist global enable undo blacklist global enable Default The global blacklist feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines If you enable the global blacklist feature, the blacklist feature is enabled on all interfaces. Examples # Enable the global blacklist feature.
Page 687: Blacklist Ipv6
timeout minutes: Specifies the aging time in minutes for the blacklist entry, in the range of 1 to 1000. If you do not specify this option, the blacklist entry never ages out. You must delete it manually. Usage guidelines The undo blacklist ip command deletes only manually added IPv4 blacklist entries. To delete dynamically added IPv4 blacklist entries, use the reset blacklist ip command.
Page 688: Blacklist Logging Enable
A blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot. You can use the display blacklist ipv6 command to display all effective IPv6 blacklist entries that are manually added. Examples # Add a blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.
Page 689: Blacklist User
# Add 192.168.1.2 to the blacklist. A log is output for the adding event. [Sysname] blacklist ip 192.168.100.12 %Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration. # Delete 192.168.1.2 from the blacklist. A log is output for the deletion event. [Sysname] undo blacklist ip 192.168.100.12 %Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12;...
Page 690: Display Attack-Defense Flood Statistics Ip
display attack-defense flood statistics ip Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics. Syntax In standalone mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood |...
Page 691: Display Attack-Defense Flood Statistics Ipv6
device. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (In IRF mode.) count: Displays the number of matching protected IPv4 addresses. Usage guidelines The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Page 692 display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-flood | syn-ack-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-flood | syn-ack-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn...
Page 693: Display Attack-Defense Policy
Examples # (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics. <Sysname> display attack-defense flood statistics ipv6 Slot 1: IPv6 address Detected on Detect type State Dropped 1::4 Local ACK-FLOOD Normal 1000 111111111 1::5 Local SYN-FLOOD Normal 1000 22222222 Slot 2:...
Page 694 mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.
Page 695 UDP Snork Disabled Info UDP Fraggle Enabled Info IP option record route Disabled Info IP option internet timestamp Enabled Info IP option security Disabled Info IP option loose source routing Enabled Info IP option stream ID Disabled Info IP option strict source routing Disabled Info IP option route alert...
Page 696 HTTP flood 10000 80,8080 Enabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 1::1 FIN-FLOOD 192.168.1.1 SYN-ACK-FLOOD 10 1::1 FIN-FLOOD 2013:2013:2013:2013: DNS-FLOOD L,CV 2013:2013:2013:2013 Table 93 Command output Field Description Policy name Name of the attack defense policy. Locations to which the attack defense policy is applied: Local (Local Applied list indicates that the policy is applied to the device).
Page 697: Display Attack-Defense Policy Ip
Field Description Global prevention actions against the flood attack: • D—Dropping packets. Global actions • L—Logging. • -—Not configured. Ports that are protected against the flood attack. This field displays port Service ports numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).
Page 698 In IRF mode: display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ] Views Any view Predefined user roles...
Page 699: Display Attack-Defense Policy Ipv6
Slot 1: IP address VPN instance Type Rate threshold(PPS) Dropped 123.123.123.123 -- SYN-ACK-FLOOD 100 4294967295 201.55.7.45 ICMP-FLOOD 192.168.11.5 DNS-FLOOD Slot 2: IP address VPN instance Type Rate threshold(PPS) Dropped # (In standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.
Page 700 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ack-flood: Specifies ACK flood attack.
Page 701: Display Attack-Defense Scan Attacker Ip
# (In standalone mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc. <Sysname> display attack-defense policy abc flood ipv6 count Slot 1: Totally 3 flood protected IP addresses. Slot 2: Totally 0 flood protected IP addresses.
Page 702: Display Attack-Defense Scan Attacker Ipv6
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device.
Page 703 Syntax In standalone mode: display attack-defense scan attacker ipv6 [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense scan attacker ipv6 [ [ local ] [ chassis chassis-number slot slot-number ] ] [ count ] Views Any view...
Page 704: Display Attack-Defense Scan Victim Ip
Table 98 Command output Field Description Totally 1 attackers Total number of IPv6 scanning attackers. IPv6 address IPv6 address of the attacker. MPLS L3VPN instance to which the attacker IPv6 address belongs. If the VPN instance attacker IPv6 address is on the public network, this field displays hyphens (--).
Page 705: Display Attack-Defense Scan Victim Ipv6
Usage guidelines If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims. Examples # (In standalone mode.) Display information about all IPv4 scanning attack victims. <Sysname> display attack-defense scan victim ip Slot 1: IP address VPN instance Detected on...
Page 706 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters local: Specifies the device. slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device. If you do not specify a card, this command displays information about IPv6 scanning attack victims for all cards.
Page 707: Display Attack-Defense Statistics Local
Related commands display attack-defense scan attacker ipv6 scan detect display attack-defense statistics local Use display attack-defense statistics local to display attack detection and prevention statistics for the device. Syntax In standalone mode: display attack-defense statistics local [ slot slot-number ] In IRF mode: display attack-defense statistics local [ chassis chassis-number slot slot-number ] Views...
Page 708 UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible...
Page 709 ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big Slot 2: Scan attack defense statistics: AttackType AttackTimes Dropped Port scan IP sweep Distribute port scan Flood attack defense statistics: AttackType...
Page 710: Display Blacklist Ip
TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply...
Page 711 Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
Page 712: Display Blacklist Ipv6
display blacklist ipv6 Use display blacklist ipv6 to display manually added IPv6 blacklist entries. Syntax display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] | count ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters source-ipv6-address: Specifies the IPv6 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs.
Page 713: Display Blacklist User
Related commands blacklist ipv6 display blacklist user Use display blacklist user to display user blacklist entries. Syntax display blacklist user [ user-name ] [ count ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. If you do not specify a user, this command displays all user blacklist entries.
Page 714: Dns-Flood Action
Related commands blacklist global enable blacklist user dns-flood action Use dns-flood action to specify global actions against DNS flood attacks. Use undo dns-flood action to restore the default. Syntax dns-flood action { drop | logging } * undo dns-flood action Default No global action is specified for DNS flood attacks.
Page 715 Default IP address-specific DNS flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 716: Dns-Flood Detect Non-Specific
dns-flood detect non-specific Use dns-flood detect non-specific to enable global DNS flood attack detection. Use undo dns-flood detect non-specific to disable global DNS flood attack detection. Syntax dns-flood detect non-specific undo dns-flood detect non-specific Default Global DNS flood attack detection is disabled. Views Attack defense policy view Predefined user roles...
Page 717: Dns-Flood Threshold
mdc-admin Parameters port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. Usage guidelines The device detects only DNS packets destined for the specified ports.
Page 718: Exempt Acl
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios. If the number of DNS packets sent to a protected DNS server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
Page 719: Fin-Flood Action
• Destination IP address. • Source port. • Destination port. • Protocol. • L3VPN instance. • The fragment keyword for matching non-first fragments. If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.
Page 720: Fin-Flood Detect
Related commands fin-flood detect fin-flood detect non-specific fin-flood threshold fin-flood detect Use fin-flood detect to configure IP address-specific FIN flood attack detection. Use undo fin-flood detect to remove the IP address-specific FIN flood attack detection configuration. Syntax fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ] undo fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 721: Fin-Flood Detect Non-Specific
<Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000 Related commands fin-flood action fin-flood detect non-specific fin-flood threshold fin-flood detect non-specific Use fin-flood detect non-specific to enable global FIN flood attack detection. Use undo fin-flood detect non-specific to disable global FIN flood attack detection. Syntax fin-flood detect non-specific undo fin-flood detect non-specific...
Page 722: Http-Flood Action
Syntax fin-flood threshold threshold-value undo fin-flood threshold Default The global threshold is 1000 for triggering FIN flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second.
Page 723: Http-Flood Detect
Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters drop: Drops subsequent HTTP packets destined for the victim IP addresses. logging: Enables logging for HTTP flood attack events. Examples # Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1. <Sysname>...
Page 724: Http-Flood Detect Non-Specific
port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
Page 725: Http-Flood Port
mdc-admin Usage guidelines The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command. Examples # Enable global HTTP flood attack detection in attack defense policy atk-policy-1.
Page 726: Http-Flood Threshold
Related commands http-flood action http-flood detect http-flood detect non-specific http-flood threshold Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention. Use undo http-flood threshold to restore the default. Syntax http-flood threshold threshold-value undo http-flood threshold Default The global threshold is 1000 for triggering HTTP flood attack prevention.
Page 727: Icmp-Flood Action
icmp-flood action Use icmp-flood action to specify global actions against ICMP flood attacks. Use undo icmp-flood action to restore the default. Syntax icmp-flood action { drop | logging } * undo icmp-flood action Default No global action is specified for ICMP flood attacks. Views Attack defense policy view Predefined user roles...
Page 728: Icmp-Flood Detect Non-Specific
Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
Page 729: Icmp-Flood Threshold
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.
Page 730: Icmpv6-Flood Action
The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Page 731: Icmpv6-Flood Detect Ipv6
icmpv6-flood detect ipv6 Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection. Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration. Syntax icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ] undo icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] Default...
Page 732: Icmpv6-Flood Detect Non-Specific
Related commands icmpv6-flood action icmpv6-flood detect non-specific icmpv6-flood threshold icmpv6-flood detect non-specific Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection. Use undo icmpv6-flood detect non-specific to disable global ICMPv6 flood attack detection. Syntax icmpv6-flood detect non-specific undo icmpv6-flood detect non-specific Default Global ICMPv6 flood attack detection is disabled.
Page 733: Reset Attack-Defense Policy Flood
Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second. Usage guidelines With global ICMPv6 flood attack detection configured, the device is in attack detection state.
Page 734: Reset Attack-Defense Statistics Local
Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ip: Specifies protected IPv4 addresses. ipv6: Specifies protected IPv6 addresses.
Page 735: Reset Blacklist Ipv6
Predefined user roles network-admin mdc-admin Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
Page 736: Reset Blacklist Statistics
reset blacklist statistics Use reset blacklist statistics to clear blacklist statistics. Syntax reset blacklist statistics Views User view Predefined user roles network-admin mdc-admin Usage guidelines This command resets the counter for dropped packets for all blacklist entries. Examples # Clear blacklist statistics. <Sysname>...
Page 737: Rst-Flood Detect
[Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop Related commands rst-flood detect rst-flood detect non-specific rst-flood threshold rst-flood detect Use rst-flood detect to configure IP address-specific RST flood attack detection. Use undo rst-flood detect to remove the IP address-specific RST flood attack detection configuration. Syntax rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]...
Page 738: Rst-Flood Detect Non-Specific
Examples # Configure RST flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] rst-flood detect ip 192.168.1.2 threshold 2000 Related commands rst-flood action rst-flood detect non-specific rst-flood threshold rst-flood detect non-specific Use rst-flood detect non-specific to enable global RST flood attack detection. Use undo rst-flood detect non-specific to disable global RST flood attack detection.
Page 739: Scan Detect
Use undo rst-flood threshold to restore the default. Syntax rst-flood threshold threshold-value undo rst-flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of RST packets sent to an IP address per second.
Page 740 Default No scanning attack detection is configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters level: Specifies the level of the scanning attack detection. low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected.
Page 741: Signature { Large-Icmp | Large-Icmpv6 } Max-Length
blacklist global enable signature { large-icmp | large-icmpv6 } max-length Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.
Page 742 signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } * undo signature detect { ip-option-abnormal | ping-of-death | teardrop } signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ] undo...
Page 743 • redirect: Specifies the ICMP redirect type. • source-quench: Specifies the ICMP source quench type. • time-exceeded: Specifies the ICMP time exceeded type. • timestamp-reply: Specifies the ICMP timestamp reply type. • timestamp-request: Specifies the ICMP timestamp request type. icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword: •...
Page 744: Signature Level Action
teardrop: Specifies the teardrop attack. tiny-fragment: Specifies the tiny fragment attack. traceroute: Specifies the traceroute attack. udp-bomb: Specifies the UDP bomb attack. winnuke: Specifies the WinNuke attack. action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
Page 745: Signature Level Detect
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Page 746: Syn-Ack-Flood Action
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Page 747: Syn-Ack-Flood Detect
Examples # Specify drop as the global action against SYN-ACK flood attacks in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop Related commands syn-ack-flood detect syn-ack-flood detect non-specific syn-ack-flood threshold syn-ack-flood detect Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection. Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.
Page 748: Syn-Ack-Flood Detect Non-Specific
Usage guidelines With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Page 749: Syn-Ack-Flood Threshold
Related commands syn-ack-flood action syn-ack-flood detect syn-ack-flood threshold syn-ack-flood threshold Use syn-ack-flood threshold to set the global threshold for triggering SYN-ACK flood attack prevention. Use undo syn-ack-flood threshold to restore the default. Syntax syn-ack-flood threshold threshold-value undo syn-ack-flood threshold Default The global threshold is 1000 for triggering SYN-ACK flood attack prevention.
Page 750: Syn-Flood Action
syn-flood action Use syn-flood action to specify global actions against SYN flood attacks. Use undo syn-flood action to restore the default. Syntax syn-flood action { drop | logging } * undo syn-flood action Default No global action is specified for SYN flood attacks. Views Attack defense policy view Predefined user roles...
Page 751: Syn-Flood Detect Non-Specific
Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Page 752: Syn-Flood Threshold
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
Page 753: Udp-Flood Action
The global threshold applies to global SYN flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Page 754: Udp-Flood Detect
udp-flood detect Use udp-flood detect to configure IP address-specific UDP flood attack detection. Use undo udp-flood detect to remove the IP address-specific UDP flood attack detection configuration. Syntax udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ] undo udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default...
Page 755: Udp-Flood Detect Non-Specific
Related commands udp-flood action udp-flood detect non-specific udp-flood threshold udp-flood detect non-specific Use udp-flood detect non-specific to enable global UDP flood attack detection. Use undo udp-flood detect non-specific to disable global UDP flood attack detection. Syntax udp-flood detect non-specific undo udp-flood detect non-specific Default Global UDP flood attack detection is disabled.
Page 756 Default The global threshold is 1000 for triggering UDP flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of UDP packets sent to an IP address per second. Usage guidelines With global UDP flood attack detection configured, the device is in attack detection state.
Page 757: Tcp Attack Prevention Commands
TCP attack prevention commands tcp anti-naptha enable Use tcp anti-naptha enable to enable Naptha attack prevention. Use undo tcp anti-naptha enable to disable Naptha attack prevention. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default Naptha attack prevention is disabled. Views System view Predefined user roles...
Page 758: Tcp State
Views System Predefined user roles network-admin mdc-admin Parameter interval: Specifies the check interval in the range of 1 to 60 seconds. Usage guidelines This command takes effect after you enable Naptha attack prevention. After you enable Naptha attack prevention, the device checks the number of TCP connections in each state at intervals.
Page 759 connection-limit number: Specifies the maximum number of TCP connections, in the range of 0 to 500. The value of 0 represents that the device does not accelerate the aging of the TCP connections in a state. Usage guidelines This command takes effect after you enable Naptha attack prevention. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in the state.
Page 760: Ip Source Guard Commands
IP source guard commands display ip source binding Use display ip source binding to display IPv4SG bindings. Syntax In standalone mode: display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ arp-snooping | dhcp-relay | dhcp-server | dhcp-snooping | dot1x ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ arp-snooping |...
Page 761: Display Ip Verify Source Excluded
argument represents the slot number of the card. If you do not specify a card, this command displays IPv4SG bindings for the global active MPU. (In IRF mode.) Examples # Display all IPSG bindings on the public network. <Sysname> display ip source binding Total entries found: 5 IP Address MAC Address...
Page 762 display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ slot slot-number ] In IRF mode: display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin...
Page 763: Display Ipv6 Source Binding
Field Description End VLAN ID of the VLAN range that has been configured to be End VLAN ID excluded from IPSG filtering. Whether the excluded VLAN configuration takes effect: • Active—The configuration takes effect. Status • Inactive—The configuration does not take effect. Related commands ip verify source exclude display ipv6 source binding...
Page 764: Display Ipv6 Source Binding Pd
interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6SG address bindings for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Page 765 Syntax In standalone mode: display ipv6 source binding pd [ vpn-instance vpn-instance-name ] [ prefix prefix/prefix-length ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display ipv6 source binding pd [ vpn-instance vpn-instance-name ] [ prefix prefix/prefix-length ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] Views...
Page 766: Ip Source Binding (Interface View)
Table 108 Command output Field Description Total entries found Total number of IPv6SG prefix bindings. IPv6 prefix IPv6 prefix and prefix length in the IPv6SG prefix binding. MAC address in the IPv6SG prefix binding. MAC address This field displays N/A if the MAC address is invalid. Interface to which the IPv6SG prefix binding belongs.
Page 767: Ip Source Binding (System View)
Usage guidelines Static IPv4SG bindings on an interface implement the following functions: • Filter incoming IPv4 packets on the interface. • Check user validity by cooperating with the ARP attack detection feature. You cannot configure static IPv4SG bindings on a service loopback interface. Examples # Configure a static IPv4SG binding on Ten-GigabitEthernet 1/0/1.
Page 768: Ip Verify Source
Related commands display ip source binding ip source binding (interface view) ip verify source Use ip verify source to enable IPv4SG on an interface. Use undo ip verify source to disable IPv4SG on an interface. Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4SG feature is disabled on an interface.
Page 769: Ip Verify Source Exclude
# Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/2 [Sysname-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source MAC address for dynamic IPSG.
Page 770: Ipv6 Source Binding (Interface View)
Related commands display ip verify source excluded ipv6 source binding (interface view) Use ipv6 source binding to configure a static IPv6SG binding. Use undo ipv6 source binding to delete the static IPv6SG bindings configured on an interface. Syntax ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address }...
Page 771: Ipv6 Source Binding (System View)
ipv6 source binding (system view) Use ipv6 source binding to configure a global static IPv6SG binding. Use undo ipv6 source binding to delete one or all global static IPv6SG bindings. Syntax ipv6 source binding ip-address ipv6-address mac-address mac-address undo ipv6 source binding { all | ip-address ipv6-address mac-address mac-address } Default No global static IPv6SG bindings exist.
Page 772 Views Layer 2 Ethernet interface view Layer 3 Ethernet interface view VLAN interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Filters incoming packets by source IPv6 addresses. ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
Page 773: Arp Attack Protection Commands
ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable ARP blackhole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP blackhole routing is enabled.
Page 774: Arp Resolving-Route Probe-Interval
Views System view Predefined user roles network-admin mdc-admin Parameters count: Sets the number of probes, in the range of 1 to 25. Examples # Configure the device to perform five ARP blackhole route probes for each unresolved IP address. <Sysname> system-view [Sysname] arp resolving-route probe-count 5 Related commands arp resolving-route enable...
Page 775: Arp Source-Suppression Enable
arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression feature. Use undo arp source-suppression enable to disable the ARP source suppression feature. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression feature is disabled. Views System view Predefined user roles...
Page 776: Display Arp Source-Suppression
Usage guidelines If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse. Examples # Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
Page 777: Arp Rate-Limit Log Enable
undo arp rate-limit Default The ARP packet rate limit feature is enabled on an interface. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Layer 3 Ethernet interface view Layer 3 aggregate interface view Predefined user roles network-admin mdc-admin Parameters pps: Specifies the upper limit for ARP packet rate in pps.
Page 778: Arp Rate-Limit Log Interval
configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide. Examples # Enable logging for ARP packet rate limit. <Sysname> system-view [Sysname] arp rate-limit log enable arp rate-limit log interval Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.
Page 779: Source Mac-Based Arp Attack Detection Commands
Syntax snmp-agent trap enable arp [ rate-limit ] undo snmp-agent trap enable arp [ rate-limit ] Default SNMP notifications for ARP is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters rate-limit: Specifies the ARP packet rate limit feature. Usage guidelines After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.
Page 780: Arp Source-Mac Aging-Time
Parameters filter: Specifies the filter handling method. monitor: Specifies the monitor handling method. Usage guidelines Configure this feature on the gateways. This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address.
Page 781: Arp Source-Mac Exclude-Mac
arp source-mac exclude-mac Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection. Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection. Syntax arp source-mac exclude-mac mac-address&<1-64> undo arp source-mac exclude-mac [ mac-address&<1-64>...
Page 782: Display Arp Source-Mac
Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000. Examples # Set the threshold for source MAC-based ARP attack detection to 30. <Sysname> system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP...
Page 783: Arp Packet Source Mac Consistency Check Commands
Table 110 Command output Field Description Source-MAC Source MAC address of the attack. VLAN ID ID of the VLAN in which the attack was detected. Interface Interface on which the attack was detected. Aging-time Aging time for the ARP attack entry, in minutes. ARP packet source MAC consistency check commands arp valid-check enable...
Page 784: Authorized Arp Commands
Syntax arp active-ack [ strict ] enable undo arp active-ack [ strict ] enable Default The ARP active acknowledgement feature is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing.
Page 785: Arp Attack Detection Commands
Predefined user roles network-admin mdc-admin Examples # Enable authorized ARP on VLAN-interface 200. <Sysname> system-view [Sysname] interface vlan-interface 200 [Sysname-Vlan-interface200] arp authorized enable ARP attack detection commands arp detection enable Use arp detection enable to enable ARP attack detection. Use undo arp detection enable to disable ARP attack detection. Syntax arp detection enable undo arp detection enable...
Page 786: Arp Detection Port-Match-Ignore
Syntax arp detection log enable undo arp detection log enable Default ARP attack detection logging is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable ARP attack detection logging. <Sysname> system-view [Sysname] arp detection log enable arp detection port-match-ignore Use arp detection port-match-ignore to ignore ingress ports of ARP packets during user validity check.
Page 787: Arp Detection Rule
arp detection rule Use arp detection rule to configure a user validity check rule. Use undo arp detection rule to delete a user validity check rule. Syntax arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ] undo arp detection rule [ rule-id ] Default...
Page 788: Arp Detection Trust
[Sysname-vlan2] arp detection enable Related commands arp detection enable arp detection trust Use arp detection trust to configure an interface as an ARP trusted interface or configure an AC as an ARP trusted AC. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust...
Page 789: Arp Restricted-Forwarding Enable
Views System view Predefined user roles network-admin mdc-admin Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
Page 790: Display Arp Detection
[Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs and VSIs that are enabled with ARP attack detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the VLANs and VSIs that are enabled with ARP attack detection. <Sysname>...
Page 791: Reset Arp Detection Statistics
Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID. If you do not specify an Ethernet service instance, this command displays ARP attack detection statistics for all Ethernet service instances on the specified interface.
Page 792: Arp Scanning And Fixed Arp Commands
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID.
Page 793: Arp Scan
To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command. Examples # Convert existing dynamic ARP entries to static ARP entries. <Sysname>...
Page 794: Arp Gateway Protection Commands
[Sysname-Vlan-interface2] arp scan # Configure the device to scan neighbors in an address range. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20 ARP gateway protection commands arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway.
Page 795: Arp Packet Sender Ip Address Checking Commands
Syntax arp filter binding ip-address mac-address undo arp filter binding ip-address Default ARP filtering is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address.
Page 796 Views VLAN view Predefined user roles network-admin mdc-admin Parameters start-ip-address: Specifies the start IP address. end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address. Usage guidelines The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range.
Page 797: Nd Attack Defense Commands
ND attack defense commands Source MAC consistency check commands ipv6 nd check log enable Use ipv6 nd check log enable to enable the ND logging feature. Use undo ipv6 nd check log enable to restore the default. Syntax ipv6 nd check log enable undo ipv6 nd check log enable Default The ND logging feature is disabled.
Page 798: Nd Attack Detection Commands
Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Page 799: Ipv6 Nd Detection Enable
Table 112 Command output Field Description Interface Input interface of the ND messages. Packets dropped Number of ND messages dropped by ND attack detection. ipv6 nd detection enable Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.
Page 800: Reset Ipv6 Nd Detection Statistics
mdc-admin Examples # Configure Ten-GigabitEthernet 1/0/1 as an ND trusted interface. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] ipv6 nd detection trust # Configure Bridge-Aggregation 1 as an ND trusted interface. <Sysname> system-view [Sysname] interface bridge-aggregation 1 [Sysname-Bridge-Aggregation1] ipv6 nd detection trust reset ipv6 nd detection statistics Use reset ipv6 nd detection statistics to clear ND attack detection statistics.
Page 801: Display Ipv6 Nd Raguard Statistics
Parameters policy-name: Specifies an RA guard policy by its name. The policy name is a case-sensitive string of 1 to 31 characters. If you do not specify a policy, this command displays the configuration of all RA guard policies. Examples # Display the configuration of all RA guard policies.
Page 802: If-Match Acl
Syntax display ipv6 nd raguard statistics [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays RA guard statistics for all interfaces. Examples # Display RA guard statistics.
Page 803: If-Match Autoconfig Managed-Address-Flag
Predefined user roles network-admin mdc-admin Parameters ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. name ipv6-acl-name: Specifies an IPv6 basic ACL by its name, a case-insensitive string of 1 to 63 characters. The name must start with an English letter. To avoid confusion, the name cannot be all. Usage guidelines RA guard uses the ACL match criterion to match the IP address of the RA message sender.
Page 804: If-Match Autoconfig Other-Flag
Examples # Specify on as the M flag match criterion for the RA guard policy policy1. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match autoconfig managed-address-flag on if-match autoconfig other-flag Use if-match autoconfig other-flag to specify an O flag match criterion. Use undo if-match autoconfig other-flag to delete the O flag match criterion.
Page 805: If-Match Prefix
Default No maximum or minimum hop limit match criterion exists. Views RA guard policy view Predefined user roles network-admin mdc-admin Parameters maximum: Specifies the maximum advertised hop limit. An RA message passes the check if its current hop limit is not higher than the maximum advertised hop limit. minimum: Specifies the minimum advertised hop limit.
Page 806: If-Match Router-Preference
Usage guidelines An RA message passes the check if the advertised prefixes in the message match the prefixes set by the ACL. If the specified ACL does not exist or does not contain a rule, the prefix match criterion does not take effect.
Page 807: Ipv6 Nd Raguard Apply Policy
Examples # Specify medium as the router preference match criterion for the RA guard policy policy1. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match router-preference maximum medium ipv6 nd raguard apply policy Use ipv6 nd raguard apply policy to apply an RA guard policy to a VLAN. Use undo ipv6 nd raguard apply policy to remove the RA guard policy from a VLAN.
Page 808: Ipv6 Nd Raguard Policy
undo ipv6 nd raguard log enable Default The RA guard logging feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command allows a device to generate logs when it detects forged RA messages. The log information helps administrators locate and solve problems.
Page 809: Ipv6 Nd Raguard Role
Parameters policy-name: Assigns a name to the RA guard policy. The name is a case-sensitive string of 1 to 31 characters. Examples # Create RA guard policy policy1 and enter its view. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] Related commands display ipv6 nd raguard policy...
Page 810: Reset Ipv6 Nd Raguard Statistics
reset ipv6 nd raguard statistics Use reset ipv6 nd raguard statistics to clear RA guard statistics. Syntax reset ipv6 nd raguard statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears RA guard statistics for all interfaces.
Page 811: Ipv4 Urpf Commands
IPv4 uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf slot slot-number In IRF mode: display ip urpf chassis chassis-number slot slot-number Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator...
Page 812 Use undo ip urpf to disable uRPF. Syntax ip urpf loose allow-default-route strict allow-default-route undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
Page 813: Ipv6 Urpf Commands
IPv6 uRPF commands display ipv6 urpf Use display ipv6 urpf to display IPv6 uRPF configuration. Syntax In standalone mode: display ipv6 urpf slot slot-number In IRF mode: display ipv6 urpf chassis chassis-number slot slot-number Views Any view Predefined user roles network-admin network-operator mdc-admin...
Page 814 Use undo ipv6 urpf to disable IPv6 uRPF. Syntax ipv6 urpf loose strict allow-default-route undo ipv6 urpf Default IPv6 uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
Page 815: Mff Commands
MFF commands display mac-forced-forwarding interface Use display mac-forced-forwarding interface to display MFF port configuration. Syntax display mac-forced-forwarding interface Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display MFF port configuration. <Sysname> display mac-forced-forwarding interface Network Port: XGE1/0/1 XGE1/0/2 User Port:...
Page 816: Mac-Forced-Forwarding
mdc-admin mdc-operator Parameters vlan-id: Specifies a VLAN by its ID. Examples # Display the MFF configuration for VLAN 2. <Sysname> display mac-forced-forwarding vlan 2 VLAN 2 Mode: Manual/Single Gateway: -------------------------------------------------------------------------- 192.168.1.42 000f-e200-8046 Server: -------------------------------------------------------------------------- 192.168.1.48 192.168.1.49 Table 118 Command output Field Description VLAN 2...
Page 817: Mac-Forced-Forwarding Gateway Probe
mdc-admin Parameters default-gateway gateway-ip: Specifies the IP address of the default gateway. Usage guidelines For MFF to take effect, make sure ARP snooping is enabled on the device. For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured.
Page 818: Mac-Forced-Forwarding Network-Port
mac-forced-forwarding network-port Use mac-forced-forwarding network-port to configure the Ethernet port as a network port. Use undo mac-forced-forwarding network-port to restore the default. Syntax mac-forced-forwarding network-port undo mac-forced-forwarding network-port Default The Ethernet port is a user port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin...
Page 819 undo mac-forced-forwarding server server-ip&<1-10> Default No server IP address is specified. Views VLAN view Predefined user roles network-admin mdc-admin Parameters server-ip&<1-10>: Specifies a space-separated list of up to 10 server IP addresses. Usage guidelines You need to maintain a server list on the MFF device to ensure communication between the servers and clients.
Page 820: Fips Commands
FIPS commands display fips status Use display fips status to display the FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 821 After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b.
Page 822: Fips Self-Test
Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters): root Enter password(15-63 characters): Confirm password: Waiting for reboot...
Page 823 Examples # Trigger a self-test on the cryptographic algorithms. <Sysname> system-view [Sysname] fips self-test Cryptographic Algorithms Known-Answer Tests are running ... CPU 0 of slot 0 in chassis 0: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed.
Page 824 Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user space passed. Starting Known-Answer tests in the kernel. Known-answer test for AES passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for SHA1 passed. Known-answer test for GCM passed.
Page 825: Macsec Commands
MACsec commands confidentiality-offset Use confidentiality-offset to set the MACsec confidentiality offset in an MKA policy. Use undo confidentiality-offset to restore the default. Syntax confidentiality-offset offset-value undo confidentiality-offset Default The MACsec confidentiality offset is 0. The entire frame is encrypted. Views MKA policy view Predefined user roles network-admin...
Page 826 Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MACsec information on all ports. verbose: Displays detailed MACsec information. If you do not specify this keyword, the command displays brief MACsec information.
Page 827 Table 119 Command output Field Description Status of MACsec desire on the port: • Yes. Protect frames • If the port does not have an MKA principal actor, this field displays N/A. MKA policy applied to the port. This field displays N/A if the port is not enabled with MACsec desire. Active MKA policy This field is not available if the port is enabled with MACsec desire but is not applied an MKA policy.
Page 828: Display Mka Policy
Field Description Packet number for outbound traffic. SA number. The minimum received packet number allowed by SAK. Related commands mka apply policy display mka policy Use display mka policy to display MKA policy information. Syntax display mka { default-policy | policy [ name policy-name ] } Views Any view Predefined user roles...
Page 829: Display Mka Session
Field Description ConfOffset Confidentiality offset in bytes. Validation mode: • Check. Validation • Strict. Related commands mka policy mka apply policy display mka session Use display mka session to display MKA session information. Syntax display mka session [ interface interface-type interface-number | local-sci sci-id ] [ verbose ] Views Any view Predefined user roles...
Page 830 # Display detailed MKA session information on GigabitEthernet 1/0/1. <Sysname> display mka session interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Tx-SCI : 000C29F6A4380004 Priority Capability: 3 CKN for participant: ABCD Key server : Yes MI (MN) : D7B00EDA353242704CC6B0DB (7) Live peers Potential peers Principal actor : Yes...
Page 831 Field Description Whether the MKA instance is the principal actor. MKA instance refers to the operation entity of the MKA protocol on a port. A Principal actor port might have multiple MKA instances. The principal actor is the MKA instance in active state. MKA session status: •...
Page 832: Display Mka Statistics
Field Description Key identifier of the previous SAK, a string of hexadecimal digits that contains the key server's 12-byte MI and KN. This field displays N/A in the following situations: Previous SAK KI • The MKA instance is not the principal actor. •...
Page 833: Macsec Confidentiality-Offset
Table 122 Command output Field Description MKPDUs with invalid CKN Number of received MKA packets with invalid CKNs. MKPDUs with invalid ICV Number of MKA packets that failed ICV check. MKPDUs with Rx error Number of received error MKA packets. CKN for participant CAK name of the MKA instance.
Page 834: Macsec Desire
Examples # Set the MACsec confidentiality offset to 30 bytes on GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] macsec confidentiality-offset 30 Related commands confidentiality-offset display macsec display mka session mka apply policy macsec desire Use macsec desire to enable MACsec desire. The port expects MACsec protection for outbound frames.
Page 835: Macsec Replay-Protection Enable
Use undo macsec mka-session log enable to disable MKA session logging. Syntax macsec mka-session log enable undo macsec mka-session log enable Default MKA session logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to generate logs for MKA session changes, such as peer aging and SAK updates.
Page 836: Macsec Replay-Protection Window-Size
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the MACsec replay protection configuration in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except MACsec replay protection) of the MKA policy are effective on the port.
Page 837: Macsec Validation Mode
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the replay protection window size in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the replay protection window size) of the MKA policy are effective on the port.
Page 838: Mka Apply Policy
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] macsec validation mode strict Related commands display macsec mka apply policy validation mode mka apply policy Use mka apply policy to apply an MKA policy to a port. Use undo mka apply policy to remove the MKA policy from a port. Syntax mka apply policy policy-name undo mka apply policy...
Page 839: Mka Enable
display mka policy replay-protection enable replay-protection window-size validation mode mka enable Use mka enable to enable MKA on a port. Use undo mka enable to disable MKA on a port. Syntax mka enable undo mka enable Default MKA is disabled on a port. Views Ethernet interface view Predefined user roles...
Page 840: Mka Priority
Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies the name of an MKA policy, a case-sensitive string of 1 to 16 characters. Usage guidelines MKA policy provides a centralized method for configuring MACsec confidentiality offset, validation mode, replay protection, and replay protection window size. The system supports multiple MKA policies.
Page 841: Mka Psk
Parameters priority-value: Specifies the priority value, in the range of 0 to 255. The priority is inversely related to its value. Usage guidelines If you use 802.1 X-generated CAK, the access device port automatically becomes the key server. If you use a preshared key as the CAK, the port that has higher priority (lower priority value) becomes the key server.
Page 842: Replay-Protection Enable
Usage guidelines The CAK can be either generated during 802.1X or manually configured at the CLI. The manually configured CAK takes precedence over the 802.1X-generated key. When 802.1X is not enabled on MACsec ports, you can execute this command to configure a preshared key on each MACsec port.
Page 843: Replay-Protection Window-Size
<Sysname> system-view [Sysname] mka policy abcd [Sysname-mka-policy-abcd] replay-protection enable Related commands macsec replay-protection enable mka apply policy replay-protection window-size replay-protection window-size Use replay-protection window-size to set the MACsec replay protection window size in an MKA policy. Use undo replay-protection window-size to restore the default. Syntax replay-protection window-size size-value undo replay-protection window-size...
Page 844: Reset Mka Session
Related commands macsec replay-protection window-size macsec replay-protection enable mka apply policy reset mka session Use reset mka session to reset MKA sessions on ports. Syntax reset mka session [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number.
Page 845: Validation Mode
Examples # Clear MKA statistics on GigabitEthernet 1/0/1. <Sysname> reset mka statistics interface gigabitethernet 1/0/1 Related commands display mka statistics validation mode Use validation mode to set a MACsec validation mode in an MKA policy. Use undo validation mode to restore the default. Syntax validation mode { check | strict } undo validation mode...
Page 846: 802.1X Client Commands
802.1X client commands display dot1x supplicant Use display dot1x supplicant to display 802.1X client authentication information. Syntax display dot1x supplicant [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays 802.1X client authentication information for all interfaces.
Page 847: Dot1X Supplicant Anonymous Identify
Field Description Anonymous 802.1X client anonymous identifier. identifier SSL client policy SSL client policy used by the 802.1X client feature. 802.1X client authentication state: • Init—The authentication process starts. • Connecting—The 802.1X client is connecting to the authenticator. FSM state •...
Page 848: Dot1X Supplicant Eap-Method
• TTLS-GTC. If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device uses the 802.1X client username at the first authentication phase. Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.
Page 849: Dot1X Supplicant Enable
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant eap-method peap-gtc Related commands display dot1x supplicant dot1x supplicant enable dot1x supplicant enable Use dot1x supplicant enable to enable the 802.1X client feature. Use undo dot1x supplicant enable to disable the 802.1X client feature. Syntax dot1x supplicant enable undo dot1x supplicant enable...
Page 850: Dot1X Supplicant Password
Default An Ethernet interface uses the interface's MAC address for 802.1X client authentication. If the interface's MAC address is unavailable, the interface uses the device's MAC address for 802.1X client authentication. Views Ethernet interface view Predefined user roles network-admin mdc-admin Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding multicast, all-zero, and all-F MAC addresses.
Page 851: Dot1X Supplicant Ssl-Client-Policy
Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 127 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
Page 852: Dot1X Supplicant Username
If the MD5-Challenge authentication is used, the device does not use an SSL client policy during the authentication process. Examples #Specify SSL client policy policy_1 to be used by an 802.1X client-enabled device on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant ssl-client-policy policy_1 Related commands display dot1x supplicant...
Page 853 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant username aaa Related commands display dot1x supplicant dot1x domain-delimiter dot1x supplicant enable...
Page 854: Web Authentication Commands
Web authentication commands display web-auth Use display web-auth to display Web authentication configuration and running status on interfaces. Syntax display web-auth [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays Web authentication configuration for all interfaces.
Page 855: Display Web-Auth Free-Ip
Field Description Web-auth domain ISP domain used by Web authentication. Auth-Fail VLAN for Web authentication. This field displays Not Auth-fail VLAN configured if no Auth-Fail VLAN is configured. Interval of Web authentication user detection. This field displays Not Offline-detect configured if online detection for Web authentication users is disabled. Max online users Maximum number of Web authentication users allowed on the interface.
Page 856: Display Web-Auth User
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. If you do not specify a Web authentication server, this command displays information about all Web authentication servers. Examples # Display information about Web authentication server aaa.
Page 857 network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about online Web authentication users on all interfaces. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online Web authentication user information for all cards.
Page 858: Redirect-Wait-Time
Default No IP address or port number is specified for a Web authentication server. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the Web authentication server. This IP address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.
Page 859: Url
Default The redirection wait time is 5 seconds. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters period: Specifies the redirection wait time in the range of 1 to 90 seconds. Usage guidelines After a user passes Web authentication and is assigned an authorization VLAN, the user might need to change the IP address of the authentication client.
Page 860: Url-Parameter
The IP address and port number in the URL must be the same as the IP address and port number of the Web authentication server. Examples # Specify http://192.168.1.1/portal/ as the redirection URL for Web authentication server wbs. <Sysname> system-view [Sysname] web-auth server wbs [Sysname-web-auth-server-wbs] url http://192.168.1.1:80/portal/ Related commands...
Page 861: Web-Auth Auth-Fail Vlan
When you configure the parameter-name argument in this command, you must use the URL parameter name supported by the Web browser. Different Web browsers support different URL parameter names. Examples # Add parameters userip and userurl to the redirection URL of portal Web server wbs. <Sysname>...
Page 862: Web-Auth Domain
Examples # Specify VLAN 5 as Web authentication Auth-Fail VLAN on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname–Ten-GigabitEthernet1/0/1] port link-type hybrid [Sysname–Ten-GigabitEthernet1/0/1] mac-vlan enable [Sysname–Ten-GigabitEthernet1/0/1] web-auth auth-fail vlan 5 Related commands display web-auth web-auth domain Use web-auth domain to specify an authentication domain for Web authentication users on an interface.
Page 863: Web-Auth Free-Ip
Syntax web-auth enable apply server server-name undo web-auth enable Default Web authentication is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the Web authentication server name, a case-sensitive string of 1 to 32 characters.
Page 864: Web-Auth Max-User
Parameters ip-address: Specifies the Web authentication-free subnet address. mask-length: Specifies the mask length of the Web authentication-free subnet address, in the range of 0 to 32. mask: Specifies a mask for the Web authentication-free subnet in dotted decimal notation. all: Specifies all Web authentication-free subnets. User guidelines Web authentication users can access resources in Web authentication-free subnets without being authenticated.
Page 865: Web-Auth Offline-Detect
[Sysname-Ten-GigabitEthernet1/0/1] web-auth max-user 32 Related commands display web-auth web-auth offline-detect Use web-auth offline-detect to enable online detection of Web authentication users. Use undo web-auth max-user to disable online detection of Web authentication users. Syntax web-auth offline-detect interval interval undo web-auth offline-detect interval Default Online detection of Web authentication users is disabled.
Page 866: Web-Auth Server
Default No Web proxy server port numbers are configured on the device. Views System view Predefined user roles network-admin mdc-admin Parameters port number: Specifies a Web proxy server TCP port number, in the range of 1 to 65535. all: Specifies all Web proxy server TCP port numbers. User guidelines By default, proxied HTTP requests cannot trigger Web authentication but are silently dropped.
Page 867 Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. User guidelines In Web authentication server view, you can configure the following parameters and features for the Web authentication server: •...
Page 868: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Page 869: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 870: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 871: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 872 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 873: Index
Index A B C D E F G H I K L M N O P Q R S T U V W arp restricted-forwarding enable,772 scan,776 authorization,500 sender-ip-range,778 authorization,537 source-mac,762 device-id,65 arp source-mac aging-time,763 aaa nas-id profile,1 arp source-mac exclude-mac,764 session-limit,2 arp source-mac...
Page 874 authorization-attribute (ISP domain view),24 display arp detection statistics,773 authorization-attribute (local user view/user group display arp source-mac,765 view),36 display arp source-suppression,759 authorization-server,142 display attack-defense flood statistics ip,673 display attack-defense flood statistics ipv6,674 display attack-defense policy,676 bind-attribute,39 display attack-defense policy ip,680 binding-retry,232 display attack-defense policy ipv6,682 blacklist global...
Page 875 display ldap scheme,143 display web-redirect rule,254 display local-user,41 dns-flood action,697 display mac-authentication,202 dns-flood detect,697 display mac-authentication connection,205 dns-flood detect non-specific,699 display mac-authentication mac-address,207 dns-flood port,699 display mac-forced-forwarding interface,798 dns-flood threshold,700 display mac-forced-forwarding vlan,798 domain,29 display macsec,808 domain default enable,30 domain if-unknown,31 display mka policy,811...
Page 876 dot1x supplicant username,835 icmpv6-flood detect ipv6,714 dot1x timer,195 icmpv6-flood detect non-specific,715 dot1x timer reauth-period,197 icmpv6-flood threshold,715 dot1x unicast-trigger,198 identity,554 dot1x user-ip freeze,199 identity local,555 dpd,552 if-match,256 dpd,511 if-match acl,785 if-match autoconfig managed-address-flag,786 if-match autoconfig other-flag,787 email,46 if-match hop-limit,787 encapsulation-mode,458 if-match prefix,788 encryption,552 if-match...
Page 877 ipsec anti-replay check,468 local-user,52 ipsec anti-replay window,469 local-user auto-delete enable,53 ipsec apply,470 local-user-export,54 ipsec decrypt-check enable,470 local-user-import,55 ipsec df-bit,471 login-dn,148 ipsec fragmentation,472 login-password,149 ipsec global-df-bit,473 ls,604 ipsec limit max-tunnel,473 ipsec logging packet enable,474 mac-authentication,209 ipsec profile,475 mac-authentication access-user log enable,210 ipsec redundancy enable,476 mac-authentication carry...
Page 878 policy,822 pki-domain (SSL client policy view),650 priority,823 pki-domain (SSL server policy view),651 psk,824 port,85 mkdir,605 port (MAC binding server view),262 port (portal authentication server view),262 portal { bas-ip | bas-ipv6 } (interface view),263 nas-id bind vlan,32 portal { ipv4-max-user | ipv6-max-user } (interface nas-ip (HWTACACS scheme view),124 view),264...
Page 879 port-security mac-address security,321 radius session-control client,94 port-security mac-limit,323 radius session-control enable,95 port-security mac-move permit,324 radius-server activate,156 port-security max-mac-count,324 radius-server client,157 port-security nas-id-profile,326 radius-server test-profile,96 port-security ntk-mode,326 redirect-wait-time,841 port-security oui,327 redundancy replay-interval,482 port-security port-mode,328 remote-address,483 remove,607 port-security timer autolearn aging,331 port-security timer disableport,332 rename,607 prefer-cipher,652...
Page 880 reverse-route preference,487 sftp ipv6,622 reverse-route tag,488 sftp ipv6 suite-b,625 rmdir,608 sftp server enable,584 root-certificate fingerprint,433 sftp server idle-timeout,584 rst-flood action,719 sftp suite-b,626 rst-flood detect,720 signature { large-icmp | large-icmpv6 } max-length,724 rst-flood detect non-specific,721 signature detect,724 rst-flood threshold,721 signature level action,727 rule,435 signature level...
Page 881 state secondary,108 udp-flood detect,737 stop-accounting-buffer enable (HWTACACS udp-flood detect non-specific,738 scheme view),136 udp-flood threshold,738 stop-accounting-buffer enable (RADIUS scheme url,301 view),109 url,842 syn-ack-flood action,729 url-parameter,302 syn-ack-flood detect,730 url-parameter,843 syn-ack-flood detect non-specific,731 usage,437 syn-ack-flood threshold,732 user-address-type,35 syn-flood action,733 user-group,63 syn-flood detect,733 user-name-format (HWTACACS scheme view),139 syn-flood detect non-specific,734...

HPE FlexNetwork 10500 Series Security Command Reference

AAA Commands

802.1X Commands

MAC Authentication Commands

Portal Commands

Port Security Commands

Quick Links

Related Manuals for HPE FlexNetwork 10500 Series

Summary of Contents for HPE FlexNetwork 10500 Series