AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa nas-id profile Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
aaa session-limit Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. Syntax In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } max-sessions...
Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting methods of the ISP domain are used for command line accounting. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Use undo accounting dual-stack to restore the default. Syntax accounting dual-stack { merge | separate } undo accounting dual-stack Default The merge method applies. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters merge: Merges IPv4 data with IPv6 data for accounting. separate: Separates IPv4 data from IPv6 data for accounting.
Page 23
Predefined user roles network-admin mdc-admin Parameters broadcast: Broadcasts accounting requests to servers in RADIUS schemes. radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Examples # In ISP domain test, perform local accounting for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting login local # In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup. <Sysname>...
local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Syntax accounting quota-out { offline | online } undo accounting quota-out Default The device logs off users that have used up their data quotas. Views ISP domain view Predefined user roles network-admin mdc-admin Parameters offline: Logs off users that have used up their data quotas. online: Allows users that have used up their data quotas to stay online.
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting start-fail online accounting update-fail Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts. Use undo accounting update-fail to restore the default. Syntax accounting update-fail { [ max-times max-times ] offline | online } undo accounting update-fail Default The device allows users that have failed all their accounting-update attempts to stay online.
Page 29
authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Predefined user roles...
authentication lan-access Use authentication lan-access to specify authentication methods for LAN users. Use undo authentication lan-access to restore the default. Syntax In non-FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode:...
[Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands authentication default hwtacacs scheme ldap scheme local-user radius scheme authentication login Use authentication login to specify authentication methods for login users. Use undo authentication login to restore the default. Syntax In non-FIPS mode: authentication...
Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication).
Predefined user roles network-admin mdc-admin Parameters ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication.
Page 35
Views ISP domain view Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid.
Usage guidelines The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization).
Predefined user roles network-admin mdc-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: •...
Page 40
Use undo authorization portal to restore the default. Syntax In non-FIPS mode: authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization portal In FIPS mode: authorization portal { local | radius-scheme radius-scheme-name [ local ] } undo authorization portal Default The default authorization methods of the ISP domain are used for portal users.
traffic: Specifies the traffic direction for the idle cut feature. If you do not specify this keyword, the idle cut feature applies to both traffic directions. both: Specifies both traffic directions. inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently.
Page 43
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains. Examples # Display the configuration of all ISP domains.
Page 45
Field Description Access control for users that encounter accounting-start failures: • Online—Allows the users to stay online. Accounting start failure action • Offline—Logs off the users. Maximum number of consecutive accounting-update failures Accounting update failure max-times allowed by the device for each user in the domain. Access control for users that have failed all their accounting-update attempts: Accounting update failure action...
Field Description ACL number Authorization ACL for users. User group Authorization user group for users. IPv6 pool Name of the authorization IPv6 address pool for users. Authorization redirect URL for users. Maximum number of IGMP groups that an IPv4 user is authorized IGMP max access number to join concurrently.
Examples # Create an ISP domain named test and enter ISP domain view. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] Related commands display domain domain default enable domain if-unknown state (ISP domain view) domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.
domain domain if-unknown Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains. Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-name undo domain if-unknown Default No ISP domain is specified to accommodate users that are assigned to nonexistent domains. Views System view Predefined user roles...
nas-id bind vlan Use nas-id bind vlan to bind a NAS-ID with a VLAN. Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id Default No NAS-ID and VLAN bindings exist. Views NAS-ID profile view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through 802.1X. stb: Specifies the Set Top Box (STB) service. This service is applicable to users that access the network through STB.
Usage guidelines Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. Typically, the idle timeout period is assigned by the authorization server after users pass authentication. For portal users, the idle timeout period set for the online portal user detection feature takes priority over the server-assigned idle timeout period.
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. However, the online users are not affected. Examples # Place ISP domain test in blocked state. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Related commands display domain user-address-type...
Related commands display domain Local user commands access-limit Use access-limit to set the maximum number of concurrent logins using the local user name. Use undo access-limit to restore the default. Syntax access-limit max-user-number undo access-limit Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles...
Page 54
Syntax authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | user-role role-name | vlan vlan-id | work-directory directory-name } * undo authorization-attribute { acl | idle-cut | ip-pool | ipv6-pool | session-timeout | user-role role-name | vlan | work-directory } * Default The working directory for FTP, SFTP, and SCP users is the root directory of the NAS.
Page 55
For LAN users, only the following authorization attributes are effective: acl, session-timeout, and vlan. For Telnet and terminal users, only the authorization attributes idle-cut, user-role, and work-directory are effective. For HTTP and HTTPS users, only the authorization attribute user-role is effective. For SSH and FTP users, only the authorization attributes idle-cut, user-role, and work-directory are effective.
bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user. Syntax bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } * undo bind-attribute { ip | location | mac | vlan } * Default No binding attributes are configured for a local user.
• If the user is a portal user, specify the portal-enabled interface. Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured. Examples # Bind IP address 3.3.3.3 with network access user abc. <Sysname>...
Default No description is configured for a network access user. Views Network access user view Predefined user roles network-admin mdc-admin Parameters text: Configures a description, case-sensitive string of 1 to 255 characters. Examples # Configure a description for network access user 123. <Sysname>...
Page 59
lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users. portal: Portal users. ssh: SSH users. telnet: Telnet users. terminal: Terminal users that log in through console ports. state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
Page 60
User role list: network-operator, level-0, level-3 Description: A network access user from company cc Validity period: Start date and time: 2016/01/01-00:01:01 Expiration date and time: 2017/01/01-01:01:01 Network access guest user1: State: Active Service type: LAN-access/Portal User group: guest1 Full name: Jack Company: Email:...
Field Description User role list Authorized roles of the local user. IP pool IPv4 address pool authorized to the local user. IPv6 pool IPv6 address pool authorized to the local user. Password control configurations Password control attributes that are configured for the local user. Password aging Password expiration time.
Page 62
network-operator mdc-admin mdc-operator Parameters all: Specifies all user groups. name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Examples # Display the configuration of all user groups. <Sysname> display user-group all Total 2 user groups matched. User group: system Authorization attributes: Work directory:...
Field Description Password complexity checking policy: • Reject a password that contains the username or the reverse of Password complexity the username. • Reject a password that contains any character repeated consecutively three or more times. Maximum login attempts Maximum number of consecutive failed login attempts. Action for exceeding login Action to take on the user that failed to log in after using up all login attempts...
Syntax full-name name-string undo full-name Default No name is configured for a local guest. Views Local guest view Predefined user roles network-admin mdc-admin Parameters name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters. Examples # Configure the name as abc Snow for local guest abc. <Sysname>...
Related commands display local-user local-guest email format Use local-guest email format to configure the subject and body for the email notifications of local guest information. Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.
local-guest send-email local-guest email sender Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device. Use undo local-guest email sender to restore the default. Syntax local-guest email sender email-address undo local-guest email sender Default No email sender address is configured for the email notifications of local guests sent by the device.
Views System view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect.
count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256. validity-datetime: Specifies the validity period of the local guests. start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD.
mdc-admin Parameters user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements: • Cannot contain a domain name. • Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
• Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@). • Cannot be a, al, or all. class: Specifies the local user type.
Syntax local-user auto-delete enable undo local-user auto-delete enable Default The local user auto-delete feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete expired local users.
The device supports TFTP and FTP file transfer modes. Table 4 describes the valid URL formats of the .csv file. Table 4 URL formats Protocol URL format Description Specify a TFTP server by IP address or TFTP tftp://server/path/filename hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.
Page 73
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional.
Table 5 URL formats Protocol URL format Description Specify a TFTP server by IP address or TFTP tftp://server/path/filename hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. • Specify an FTP server by IP address or With user name hostname. password: ftp://username:password@serve The device ignores the domain name in the...
Parameters hash: Specifies a password encrypted by the hash algorithm. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password string. This argument is case sensitive. •...
Predefined user roles network-admin mdc-admin Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Related commands display local-user service-type (local user view) Use service-type to specify the service types that a local user can use. Use undo service-type to remove service types configured for a local user. Syntax In non-FIPS mode: service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal } undo service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal } In FIPS mode: service-type { lan-access | { https | ssh | terminal } * | portal }...
Related commands display local-user sponsor-department Use sponsor-department to specify the department of the guest sponsor for a local guest. Use undo sponsor-department to restore the default. Syntax sponsor-department department-string undo sponsor-department Default No department is specified for the guest sponsor of a local guest. Views Local guest view Predefined user roles...
Parameters email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822. Examples # Specify the email address as Sam@a.com for the guest sponsor of local guest abc. <Sysname> system-view [Sysname] local-user abc class network guest [Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com Related commands display local-user...
Default A local user is in active state. Views Local user view Predefined user roles network-admin mdc-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.
You can modify settings for the system-defined user group named system, but you cannot delete the user group. Examples # Create a user group named abc and enter user group view. <Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] Related commands display user-group validity-datetime Use validity-datetime to specify the validity period for a network access user.
Usage guidelines Expired network access user accounts cannot be used for authentication. When both from and to options are specified, the expiration date and time must be later than the validity start date and time. When only the from option is specified, the user is valid since the specified date and time. When only the to option is specified, the user is valid until the specified date and time.
Examples # Configure the device ID as 1. <Sysname> system-view [Sysname] aaa device-id 1 accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to disable the accounting-on feature. Syntax accounting-on enable [ interval interval | send send-times ] * undo accounting-on enable Default The accounting-on feature is disabled.
Use undo accounting-on extended to disable the extended accounting-on feature. Syntax accounting-on extended undo accounting-on extended Default The extended accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture.
Usage guidelines Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control. Examples # In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
Examples # In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Ab-Server-String attribute in the received DAE packets with the Cd-User-Roles attribute. <Sysname> system-view [Sysname] radius dynamic-author server [Sysname-radius-da-server] attribute convert Ab-Server-String to Cd-User-Roles received Related commands attribute translate attribute convert (RADIUS scheme view) Use attribute convert to configure a RADIUS attribute conversion rule.
• A source RADIUS attribute can be converted only by one criterion, packet type or direction. • One source RADIUS attribute cannot be converted to multiple destination attributes. If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules. Examples # In RADIUS DAS view, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the DAE packets to be sent. <Sysname>...
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules. Examples # In RADIUS scheme radius1, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the RADIUS packets to be sent. <Sysname>...
attribute translate Use attribute translate to enable the RADIUS attribute translation feature. Use undo attribute translate to disable the RADIUS attribute translation feature. Syntax attribute translate undo attribute translate Default The RADIUS attribute translation feature is disabled. Views RADIUS DAS view RADIUS scheme view Predefined user roles network-admin...
Views RADIUS DAS view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies a DAC by its IPv4 address. ipv6 ipv6-address: Specifies a DAC by its IPv6 address. key: Specifies the shared key for secure communication between the RADIUS DAC and server. Make sure the shared key is the same as the key configured on the RADIUS DAC.
Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } Default Traffic is counted in bytes and packets. Views RADIUS scheme view Predefined user roles...
Page 95
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes. Examples # Display the configuration of all RADIUS schemes.
Page 96
retransmission times retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(seconds) : 22 Stop-accounting packets buffering : Enabled Retransmission times : 500 NAS IP Address : 1.1.1.1 : Not configured User Name Format : with-domain Data flow unit...
Page 97
Field Description Probe username Username used for RADIUS server status detection. Probe interval Server status detection interval, in minutes. Weight Weight value of the RADIUS server. Accounting-On function Whether the accounting-on feature is enabled. extended function Whether the extended accounting-on feature is enabled. retransmission times Number of accounting-on packet transmission attempts.
Field Description Account Update Number of accounting update packets. Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received. Packet Without Response Number of packets for which no responses were received.
Scheme Session ID Username First sending time Attempts rad1 1000326232325010 23:27:16-08/31/2015 1000326232326010 23:33:01-08/31/2015 Table 8 Command output Field Description First sending time Time when the stop-accounting request was first sent. Number of attempts that were made to send the stop-accounting Attempts request.
• In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured by using this command apply to all servers in the scheme.
• If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet. • If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
Usage guidelines The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS. Examples # Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests. <Sysname> system-view [Sysname] radius dynamic-author server [Sysname-radius-da-server] port 3790 Related commands...
• In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS accounting server belongs.
Page 105
Use undo primary authentication to restore the default. Syntax primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] * undo primary authentication Default The primary RADIUS authentication server is not specified.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings. The shared key configured by this command takes precedence over the shared key configured with the key authentication command. The server status detection is triggered for the server if the specified test profile exists on the device.
Page 107
Predefined user roles network-admin mdc-admin Parameters attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes. vendor vendor-id: Specifies a vendor ID in the range of 1 to 65535. If you do not specify a vendor ID, the device processes the RADIUS attribute as a standard RADIUS attribute.
attribute reject (RADIUS scheme view) attribute translate radius dscp Use radius dscp to change the DSCP priority of RADIUS packets. Use undo radius dscp to restore the default. Syntax radius [ ipv6 ] dscp dscp-value undo radius [ ipv6 ] dscp Default The DSCP priority of RADIUS packets is 0.
Predefined user roles network-admin mdc-admin Usage guidelines After you enable the RADIUS DAS feature, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs. Based on the DAE packet type and contents, the device performs one of the following operations: •...
Usage guidelines The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
mdc-admin Parameters radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be used by more than one ISP domain at the same time. The device supports a maximum of 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
• In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS session-control client belongs.
Usage guidelines An HPE IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812. This feature must work with HPE IMC servers.
If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device. When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.
Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.
If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure. If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module: •...
To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
Parameters retries: Specifies the maximum number of transmission attempts. The value range is 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts controls the transmission of stop-accounting requests together with the following parameters: • RADIUS server response timeout timer (set by using the timer response-timeout command). •...
Page 119
Parameters host-name: Specifies the host name of a secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either. Examples # In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.
Page 121
port-number: Specifies the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812. key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
• RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires. • Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
• If you set the status of the server to blocked, the device stops detecting the status of the server. • If you set the status of the server to active, the device starts to detect the status of the server. Examples # In RADIUS scheme radius1, set the status of the primary authentication server to blocked.
Usage guidelines If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers. If the device finds that a secondary server in active state is unreachable, the device performs the following operations: •...
Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to buffer a RADIUS stop-accounting request that has no response after the maximum transmission attempts (set by using the retry command) have been made. The device resends the buffered request until it receives a server response or when the number of stop-accounting request transmission attempts reaches the upper limit.
Examples # In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 Related commands display radius scheme timer realtime-accounting (RADIUS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default.
Examples # In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view) Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default.
Related commands display radius scheme retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the usernames sent to a RADIUS server.
vpn-instance (RADIUS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme. Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network. Views RADIUS scheme view Predefined user roles network-admin mdc-admin...
Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters data: Specifies the unit for data flows. byte: Specifies the unit as byte. giga-byte: Specifies the unit as gigabyte. kilo-byte: Specifies the unit as kilobyte. mega-byte: Specifies the unit as megabyte. packet: Specifies the unit for data packets.
Page 133
Parameters hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes. statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the specified HWTACACS scheme.
Page 134
Field Description Primary Acct Server Primary HWTACACS accounting server. Secondary Auth Server Secondary HWTACACS authentication server. Secondary Author Server Secondary HWTACACS authorization server. Secondary Acct Server Secondary HWTACACS accounting server. Host name of the server. This field displays Not configured in the following situations: Host name •...
Field Description Number of received PassAdd response packets. The packets PassAdd response packets indicate that all requested authorization attributes are assigned and additional authorization attributes are added. Number of received PassReply response packets. The device uses PassReply response packets the specified authorization attributes in the packets to replace the requested authorization attributes.
Field Description Number of attempts that were made to send the stop-accounting Attempts request. Related commands reset stop-accounting-buffer (for HWTACACS) retry stop-accounting (HWTACACS scheme view) stop-accounting-buffer enable (HWTACACS scheme view) user-name-format (HWTACACS scheme view) hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: • The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme. • The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
<Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication. [Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&! Related commands display hwtacacs scheme...
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: • The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme. • The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key. This argument is case sensitive. • In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
Page 144
Syntax primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authentication Default The primary HWTACACS authentication server is not specified. Views HWTACACS scheme view Predefined user roles...
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme. You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key. This argument is case sensitive. • In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
Syntax retry stop-accounting retries undo retry stop-accounting Default The maximum number of transmission attempts for individual HWTACACS stop-accounting requests is 100. Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of transmission attempts for HWTACACS stop-accounting requests.
Page 149
Parameters host-name: Specifies the host name of a secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS accounting server. port-number: Specifies the service port number of the secondary HWTACACS accounting server.
keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Page 152
Views HWTACACS scheme view Predefined user roles network-admin mdc-admin Parameters host-name: Specifies the host name of a secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters. ipv4-address: Specifies the IPv4 address of a secondary HWTACACS authorization server. ipv6 ipv6-address: Specifies the IPv6 address of a secondary HWTACACS authorization server.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation. Examples # In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
Related commands display stop-accounting-buffer (for HWTACACS) reset stop-accounting-buffer (for HWTACACS) timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default...
mdc-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.
Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server. The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS servers in the scheme.
Examples # In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.
Use undo attribute-map to restore the default. Syntax attribute-map map-name undo attribute-map Default An LDAP scheme does not use an LDAP attribute map. Views LDAP scheme view Predefined user roles network-admin mdc-admin Parameters map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.
Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters. Usage guidelines You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
[Sysname-ldap-ldap1] authorization-server ccc Related commands display ldap scheme ldap server display ldap scheme Use display ldap scheme to display LDAP scheme configuration. Syntax display ldap scheme [ ldap-scheme-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 161
LDAP protocol version : LDAPv3 Server timeout interval : 10 seconds Login account DN : Not configured Base DN : Not configured Search scope : all-level User searching parameters: User object class : Not configured Username attribute : cn Username format : with-domain Attribute map : map1...
Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default An LDAP server does not have an IP address. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IP address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server.
Predefined user roles network-admin mdc-admin Parameters ipv6-address: Specifies the IPv6 address of the LDAP server. port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs.
Usage guidelines Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute. Examples # Create an LDAP attribute map named map1 and enter LDAP attribute map view. <Sysname>...
ldap server Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server. Use undo ldap server to delete an LDAP server. Syntax ldap server server-name undo ldap server server-name Default No LDAP servers exist.
Parameters dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server. If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.
[Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands display ldap scheme login-dn Use map to configure a mapping entry in an LDAP attribute map. Use undo map to delete the specified mapping entries from the LDAP attribute map. Syntax map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute user-group...
[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group Related commands ldap attribute-map user-group protocol-version Use protocol-version to specify the LDAP version. Use undo protocol-version to restore the default. Syntax protocol-version { v2 | v3 } undo protocol-version Default The LDAP version is LDAPv3.
Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin mdc-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters. Examples # Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.
Examples # Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] search-scope all-level Related commands display ldap scheme ldap server server-timeout Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.
Syntax user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name } undo user-parameters { user-name-attribute | user-name-format | user-object-class } Default The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display information about all activated RADIUS clients. <Sysname> display radius-server active-client Total 2 RADIUS clients. Client IP: 2.2.2.2 Client IP: 3.3.3.3 Related commands radius-server client display radius-server active-user Use display radius-server active-user to display information about activated RADIUS users.
Username: test Description: A network access user from company cc Authorization attributes: VLAN ID: 2 ACL number: 2000 Validity period: Expiration time: 2015/04/03-18:00:00 # Display information about all activated RADIUS users. <Sysname> display radius-server active-user Total 2 RADIUS users matched. Username: 123 Description: A network access user from company cc Authorization attributes:...
Syntax radius-server activate Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to immediately activate the most recent RADIUS server configuration after you have added, modified, or deleted RADIUS clients and network access users from which RADIUS user data is generated.
Page 175
string: Specifies a case-sensitive key string. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters. all: Specifies all RADIUS clients. Usage guidelines The IP address of a RADIUS client must be the same as the source IP address for outgoing RADIUS packets specified on the RADIUS client.
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
Page 177
Online 802.1X wired users Ten-GigabitEthernet1/0/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control : Port-based Multicast trigger : Enabled...
Page 178
Field Description Performs EAP termination and uses CHAP to communicate with the CHAP authentication RADIUS server. Relays EAP packets and supports any of the EAP authentication EAP authentication methods to communicate with the RADIUS server. Performs EAP termination and uses PAP to communicate with the PAP authentication RADIUS server.
Page 179
Field Description Access control method of the port: • MAC-based—MAC-based access control. Port access control • Port-based—Port-based access control. Multicast trigger Whether the 802.1X multicast trigger feature is enabled. Mandatory auth domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port. Guest VLAN If no 802.1X guest VLAN is configured on the port, this field displays Not configured.
Field Description Status and mode of the 802.1X guest VSI assignment delay feature on a port: • EAPOL only—EAPOL-triggered 802.1X guest VSI assignment delay is enabled. • NewMAC only—New MAC-triggered 802.1X guest VSI Add Guest VSI delay assignment delay is enabled. •...
Page 181
mdc-operator Parameters open: Displays information only about 802.1X users that use nonexistent usernames or incorrect passwords for network access in open authentication mode. If you do not specify this keyword, the command displays information about all online 802.1X users. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays online 802.1X user information for all ports.
Page 182
Field Description User MAC address MAC address of the user. Access interface Interface through which the user access the device. Access state of the user. • Successful—The user passes 802.1X authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode.
display dot1x mac-address Use display dot1x mac-address to display MAC address information of 802.1X users in 802.1X VLANs or VSIs of a specific type. Syntax display dot1x mac-address { auth-fail-vlan | auth-fail-vsi | critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface interface-type interface-number ] Views Any view Predefined user roles...
MAC addresses: 8 0800-2700-9427 0800-2700-2341 0800-2700-2324 0800-2700-2351 0800-2700-5627 0800-2700-2251 0800-2700-8624 0800-2700-3f51 Interface: Ten-GigabitEthernet1/0/4 Auth-Fail VSI: text1-vsi Aging time: 30 sec MAC addresses: 2 0801-2700-9427 0801-2700-2341 Table 18 Command output Field Description Total number of MAC addresses in the specified VLAN or VSI on the Total MAC addresses specified port or all ports.
Views System view Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines For the 802.1X feature to take effect on a port, you must enable the feature both globally and on the port.
successful-login: Specifies logs generated for successful logins of 802.1X users. Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for 802.1X users. If you do not specify any parameters, this command enables all logging functions for 802.1X users. Examples # Enable logging for login failures of 802.1X users.
Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method Default The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands." If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
<Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x auth-fail vlan 100 Related commands display dot1x dot1x auth-fail vsi Use dot1x auth-fail vsi to configure an 802.1X Auth-Fail VSI on a port. Use undo dot1x auth-fail vsi to restore the default. Syntax dot1x auth-fail vsi authfail-vsi-name undo dot1x auth-fail vsi...
dot1x critical eapol Use dot1x critical eapol to enable the sending of an EAP-Success packet to a client when the 802.1X client user is assigned to the 802.1X critical VLAN on a port. Use undo dot1x critical eapol to restore the default. Syntax dot1x critical eapol undo dot1x critical eapol...
Default No 802.1X critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies the ID of the 802.1X critical VLAN on the port. The value range for the VLAN ID is 1 to 4094.
Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the 802.1X critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines An 802.1X critical VSI accommodates users that have failed 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable.
• The port is configured with the voice VLAN. To configure a voice VLAN on a port, use the voice-vlan enable command (see Layer 2—LAN Switching Command Reference). • LLDP is enabled both globally and on the port. The device uses LLDP to identify voice users. For information about LLDP commands, see Layer 2—LAN Switching Command Reference.
If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\).
undo dot1x ead-assistant url Default No redirect URL exists for EAD assistant. Views System view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 256 characters in the format http://string or https://string. If the specified URL does not start with http:// or https://, the URL is considered to start with http:// by default.
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to send 802.1X protocol packets out of an 802.1X-enabled port without VLAN tags. Use this command to prevent terminal devices connected to the port from failing 802.1X authentication when the following conditions exist: •...
Usage guidelines An 802.1X guest VLAN accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
When 802.1X authentication is triggered on a port, the device performs the following operations: Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication. Retransmits the packet if no response has been received within the username request timeout interval set by using the dot1x timer tx-period command.
You can configure only one 802.1X guest VSI on a port. The 802.1X guest VSIs on different ports can be different. On a port, the 802.1X guest VSI configuration is mutually exclusive with the 802.1X guest VLAN, 802.1X Auth-Fail VLAN, and 802.1X critical VLAN settings. Examples # Specify VSI vsiuser as the 802.1X guest VSI on Ten-GigabitEthernet 1/0/1.
Assigns the port to the 802.1X guest VSI after the maximum number of request attempts set by using the dot1x retry command is reached. If you use the undo command without any keyword, the command disables both EAPOL-triggered and new MAC-triggered 802.1X guest VSI assignment delays on a port. Examples # Enable EAPOL-triggered 802.1X guest VSI assignment delay on Ten-GigabitEthernet 1/0/1.
Related commands display dot1x dot1x timer handshake-period dot1x retry dot1x handshake reply enable Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature. Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.
Default The online user handshake security feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The online user handshake security feature enables the device to prevent users from using illegal client software.
Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding broadcast, multicast, and all-zero MAC addresses. all: Specifies all MAC addresses that are bound to a port. Usage guidelines This command takes effect only when the 802.1X MAC address binding feature takes effect. 802.1X MAC address binding entries, both manually added and automatically generated, never age out.
The 802.1X MAC address binding feature automatically binds MAC addresses of authenticated 802.1X users to the users' access port and generates 802.1X MAC address binding entries. 802.1X MAC address binding entries, both automatically generated and manually added, never age out. They can survive a user logoff or a device reboot. To delete an entry, you must use the undo dot1x mac-binding mac-address command.
Default ISP domain. Examples # Specify my-domain as the mandatory authentication domain for 802.1X users on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default.
Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The 802.1X multicast trigger feature is enabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The multicast trigger feature enables the device to act as the initiator.
mdc-admin Parameters authorized-force: Places the port in authorized state, enabling users on the port to access the network without authentication. auto: Places the port initially in unauthorized state to allow only EAPOL packets to pass, and places the port in authorized state after a user passes authentication. You can use this option in most scenarios.
Default The 802.1X periodic reauthentication feature is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines Periodic reauthentication enables the access device to periodically authenticate online 802.1X users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.
[Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x re-authenticate manual Related commands dot1x re-authenticate dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. Use undo dot1x re-authenticate server-unreachable to restore the default. Syntax dot1x re-authenticate server-unreachable keep-online undo dot1x re-authenticate server-unreachable Default The keep-online feature is disabled on a port.
Default A maximum of two attempts are made to send an authentication request to a client. Views System view Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
Page 213
• Periodic reauthentication timer: 3600 seconds. • Server timeout timer: 100 seconds. • Client timeout timer: 30 seconds. • Username request timeout timer: 30 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters ead-timeout ead-timeout-value: Specifies the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.
• Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable 802.1X periodic reauthentication on a port, use the dot1x re-authenticate command. • Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server.
Usage guidelines The device reauthenticates online 802.1X users on a port at the specified periodic reauthentication interval when the port is enabled with periodic reauthentication. To enable periodic reauthentication on a port, use the dot1x re-authenticate command. A change to the periodic reauthentication timer applies to online users only after the old timer expires.
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN. If you do not specify this option, the command removes all 802.1X users from the 802.1X guest VLAN on the port.
Page 218
Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports. Examples # Clear 802.1X statistics on Ten-GigabitEthernet 1/0/1. <Sysname>...
MAC authentication commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics. Syntax display mac-authentication [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If the specified port is not enabled with MAC authentication, this command displays only global MAC authentication information.
Page 220
Auth-delay period : 60 s Periodic reauth : Enabled Reauth period : 120 s Re-auth server-unreachable : Logoff Guest VLAN : 100 Guest VLAN auth-period : 150 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Multiple VLAN Offline detection : Enabled...
Page 221
Field Description MAC authentication domain specified in system view. Authentication domain If no authentication domain is specified in system view, this field displays Not configured, use default domain. Number of wired online MAC authentication users, including users Online MAC-auth wired users that have passed MAC authentication and users that are performing MAC authentication.
Field Description If parallel processing of MAC authentication and 802.1X authentication is disabled, this field displays Default. Authentication order If parallel processing of MAC authentication and 802.1X authentication is enabled, this field displays Parallel. MAC authentication guest VSI configured on the port. Guest VSI If no MAC authentication guest VSI is configured, this field displays Not configured.
Page 223
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about online MAC authentication users for all ports. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about online MAC authentication users for all cards.
Field Description Access state of the user: • Successful—The user passes MAC authentication and comes User access state online. • Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode. Authentication domain MAC authentication domain to which the user belongs. IPv4 address of the user.
Page 225
mdc-admin mdc-operator Parameters critical-vlan: Specifies the MAC authentication critical VLAN. critical-vsi: Specifies the MAC authentication critical VSI. guest-vlan: Specifies the MAC authentication guest VLAN. guest-vsi: Specifies the MAC authentication guest VSI. interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MAC address information of MAC authentication users in the specified MAC authentication VLAN or VSI on all ports.
Field Description VLAN or VSI information for MAC authentication users. The Type argument has the following values: • Critical VLAN. Type VLAN/VSI • Critical VSI. • Guest VLAN. • Guest VSI. MAC address aging time in seconds. Aging time This field displays N/A if the MAC addresses do not age out. MAC addresses Number of matching MAC addresses on a port.
Syntax mac-authentication carry user-ip undo mac-authentication carry user-ip Default A MAC authentication request does not include the user IP address. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines This command solves the IP conflict issue which might be caused by users' IP address modification. After you configure this command, users cannot pass MAC authentication if the IP and MAC information in the authentication requests do not match the users' IP-MAC mappings on the IMC server.
Default No MAC authentication critical VLAN exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vlan-id: Specifies a VLAN as the MAC authentication critical VLAN. The value range for the VLAN ID is 1 to 4094.
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters critical-vsi-name: Specifies the name of the MAC authentication critical VSI on the port, a case-sensitive string of 1 to 31 characters. Usage guidelines The MAC authentication critical VSI accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable.
Usage guidelines The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Before you enable the MAC authentication critical voice VLAN on the port, make sure the following requirements are met: •...
Parameters domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters. Usage guidelines The global authentication domain applies to all MAC authentication-enabled ports. An authentication domain specified in Layer 2 Ethernet interface view or Layer 2 aggregate interface view applies only to the port.
passwords entered. You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches. You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Related commands display mac-authentication mac-authentication guest-vlan mac-authentication guest-vsi Use mac-authentication guest-vsi to configure a MAC authentication guest VSI on a port. Use undo mac-authentication guest-vsi to restore the default. Syntax mac-authentication guest-vsi guest-vsi-name undo mac-authentication guest-vsi Default No MAC authentication guest VSI exists on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
mac-authentication guest-vsi auth-period Use mac-authentication guest-vsi auth-period to set the interval at which the device authenticates users in the MAC authentication guest VSI. Use undo mac-authentication guest-vsi auth-period to restore the default. Syntax mac-authentication guest-vsi auth-period period-value undo mac-authentication guest-vsi auth-period Default The device authenticates users in the MAC authentication guest VSI every 30 seconds.
Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user.
Usage guidelines Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users. Examples # Configure Ten-GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.
mac-authentication parallel-with-dot1x Use mac-authentication parallel-with-dot1x to enable parallel processing of MAC authentication and 802.1X authentication on a port. Use undo mac-authentication parallel-with-dot1x to restore the default. Syntax mac-authentication parallel-with-dot1x undo mac-authentication parallel-with-dot1x Default Parallel processing of MAC authentication and 802.1X authentication is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
mac-authentication re-authenticate Use mac-authentication re-authenticate to enable the periodic MAC reauthentication feature on a port. Use undo mac-authentication re-authenticate to disable the periodic MAC reauthentication feature on a port. Syntax mac-authentication re-authenticate undo mac-authentication re-authenticate Default The periodic MAC reauthentication feature is disabled on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view...
Default The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Usage guidelines The keep-online feature keeps authenticated MAC authentication users online when no server is...
Parameters auth-delay auth-delay-time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180. reauth-period reauth-period-value: Specifies the port-specific periodic MAC reauthentication timer in seconds. The value range is 60 to 7200. Usage guidelines When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered.
Page 242
• The quiet timer is 60 seconds. • The global periodic MAC reauthentication timer is 3600 seconds. • The server timeout timer is 100 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters offline-detect offline-detect-value: Specifies the offline detect timer in the range of 60 to 2147483647, in seconds.
Examples # Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VSI on the port. Examples # Remove the user with MAC address 1-1-1 from the MAC authentication critical VSI on Ten-GigabitEthernet 1/0/1.
reset mac-authentication guest-vlan Use reset mac-authentication guest-vlan to remove users from the MAC authentication guest VLAN on a port. Syntax reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. mac-address mac-address: Specifies a user by its MAC address.
Examples # Remove the user with MAC address 1-1-1 from the MAC authentication guest VSI on Ten-GigabitEthernet 1/0/1. <Sysname> reset mac-authentication guest-vsi interface ten-gigabitethernet 1/0/1 mac-address 1-1-1 Related commands display mac-authentication mac-authentication guest-vsi reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax reset mac-authentication statistics [ interface interface-type interface-number ] Views...
Portal commands aging-time Use aging-time to set the aging time for MAC-trigger entries. Use undo aging-time to restore the default. Syntax aging-time seconds undo aging-time Default The aging time for MAC-trigger entries is 300 seconds. Views MAC binding server view Predefined user roles network-admin mdc-admin...
authentication-timeout Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving a MAC binding query response. Use undo authentication-timeout to restore the default. Syntax authentication-timeout minutes undo authentication-timeout Default The authentication timeout time is 3 minutes.
Predefined user roles network-admin mdc-admin Parameters retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10. interval interval: Specifies the query interval in the range of 1 to 60 seconds. Usage guidelines If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable.
Usage guidelines You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device. After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages.
Page 252
Pre-auth domain: abc User-dhcp-only: Enabled Pre-auth IP pool: ab Max Portal users: Not configured Bas-ip: Not configured User detection : Type: ICMP Interval: 300s Attempts: 5 Idle time: 180s Action for server detection: Server type Server name Action Web server fail-permit Portal server fail-permit...
Page 253
Field Description Portal authentication status on the interface: • Disabled—Portal authentication is disabled. • Enabled—Portal authentication is enabled. Portal status • Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication. Authentication mode enabled on the interface: •...
portal enable portal free-all except destination portal ipv6 free-all except destination portal ipv6 layer3 source portal layer3 source portal web-server display portal mac-trigger-server Use display portal mac-trigger-server to display information about MAC binding servers. Syntax display portal mac-trigger-server { all | name server-name } Views Any view Predefined user roles...
Page 255
3.0—Version 3. Type of the MAC binding server. This field always displays IMC, which Server type indicates the HPE IMC server. IP address of the MAC binding server. UDP port number on which the MAC binding server listens for MAC binding Port query packets.
display portal packet statistics Use display portal packet statistics to display packet statistics for portal authentication servers. Syntax display portal packet statistics [ server server-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Page 257
NTF_USER_NOTIFY AFF_NTF_USER_NOTIFY Table 24 Command output Field Description Portal server Name of the portal authentication server. Invalid packets Number of invalid packets. Pkt-Type Packet type. Total Total number of packets. Drops Number of dropped packets. Errors Number of packets that carry error information. Challenge request packet the portal authentication server sent to the REQ_CHALLENGE access device.
Field Description User information notification packet the access device sent to the portal NTF_USER_NOTIFY authentication server. NTF_USER_NOTIFY acknowledgment packet the portal authentication AFF_NTF_USER_NOTIFY server sent to the access device. Related commands reset portal packet statistics display portal rule Use display portal rule to display portal filtering rules. Syntax In standalone mode: display portal rule { all | dynamic | static } { interface interface-type interface-number [ slot...
Page 259
Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Port : Any : 0000-0000-0000 Interface : Vlan-interface100 VLAN : 100 Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic...
Page 260
Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : Vlan-interface100 VLAN : Any Destination: : 0.0.0.0 Mask : 0.0.0.0 IPv6 portal rules on Vlan-interface100: Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source: : :: Prefix length Port : Any...
Page 261
Protocol : TCP Destination: : :: Prefix length Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : :: Prefix length Interface : Vlan-interface100 VLAN : 100 Destination: : :: Prefix length Author ACL: Number : 3001 Rule 5:...
Field Description Status of the portal filtering rule: • Active—The portal filtering rule is effective. Status • Unactuated—The portal filtering rule is not activated. Source Source information of the portal filtering rule. Source IP address. Mask Subnet mask of the source IPv4 address. Prefix length Prefix length of the source IPv6 address.
Usage guidelines If you do not specify the server-name argument, this command displays information about all portal authentication servers. Examples # Display information about the portal authentication server pts. <Sysname> display portal server pts Portal server: pts Type : IMC : 192.168.0.111 VPN instance : Not configured...
Page 264
Syntax display portal user { all | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] } [ verbose ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator...
Page 265
000d-88f8-0eac 3.3.3.3 Vlan-interface200 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL number: 3001 Inbound CAR: CIR 3072 bps 3072 bps (inactive) Outbound CAR: CIR 3072 bps 3072 bps (inactive) # Display information about preauthentication portal users. <Sysname>...
Page 266
Field Description MPLS L3VPN instance to which the portal user belongs. If the portal user VPN instance is on a public network, this field displays N/A. MAC address of the portal user. IP address of the portal user. VLAN VLAN where the portal user resides. Interface Access interface of the portal user.
Page 267
Basic: Current IP address: 50.50.50.3 Original IP address: 30.30.30.2 Username: user1@hrss User ID: 0x28000002 Access interface: Vlan-interface20 Service-VLAN/Customer-VLAN: -/- MAC address: 0000-0000-0001 Domain: hrss VPN instance: N/A Status: Online Portal server: test Portal authentication method: Direct AAA: Realtime accounting interval: 60s, retry times: 3 Idle cut: 180 sec, 10240 bytes, direction: Inbound Session duration: 500 sec, remaining: 300 sec Remaining traffic: 10240000 bytes...
Page 268
Field Description Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is Service-VLAN/Customer-VLAN configured for the portal user, this field displays -/-. MAC address MAC address of the portal user. Domain ISP domain name for portal authentication. MPLS L3VPN instance to which the portal user belongs.
Page 269
Field Description Authorized inbound CAR: • CIR—Committed information rate in bps. • PIR—Peak information rate in bps. • active—The authorized inbound CAR is applied to the user access Inbound CAR interface successfully. • inactive—The authorized inbound CAR is not applied to the user access interface.
Field Description This field is not supported in the current software version. level-n uplink packets/bytes Packet and byte statistics of the upstream traffic at the accounting level n. The number n is in the range of 1 to 8. This field is not supported in the current software version. level-n downlink packets/bytes Packet and byte statistics of the downstream traffic at the accounting level n.
Table 29 Command output Field Description Portal Web server type. This field always displays IMC, which indicates the IMC Type server. Portal Web server Name of the portal Web server. URL of the portal Web server. URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides.
Page 272
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays Web redirect rules for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Table 30 Command output Field Description Rule Number of the Web redirect rule. Type of the Web redirect rule: • Static—Static Web redirect rule, generated when the Web redirect feature takes effect. Type • Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.
Page 274
Parameters original-url url-string: Specifies a URL string to match the URL in HTTP requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters. redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
<Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1 Related commands display portal web-server portal free-rule url-parameter ip (MAC binding server view) Use ip to specify the IP address of a MAC binding server. Use undo ip to restore the default. Syntax ip ipv4-address [ vpn-instance ipv4-vpn-instance-name ] [ key { cipher | simple } string ] undo ip...
Examples # Specify the IP address of the MAC binding server as 192.168.0.111 and the plaintext key as portal. <Sysname> system-view [Sysname] portal mac-trigger-server mts [Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal Related commands display portal mac-trigger-server ip (portal authentication server view) Use ip to specify the IP address of an IPv4 portal authentication server.
Examples # Configure the IP address of IPv4 portal authentication server pts as 192.168.0.111 and the plaintext key as portal. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] ip 192.168.0.111 key simple portal Related commands display portal server portal server ipv6 Use ipv6 to specify the IP address of an IPv6 portal authentication server.
Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers. Examples # Configure the IP address of IPv6 portal authentication server pts as 2000::1 and the plaintext key as portal. <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] ipv6 2000::1 key simple portal Related commands display portal server...
port (MAC binding server view) Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets. Use undo port to restore the default. Syntax port port-number undo port Default The MAC binding server listens for MAC binding query packets on UDP port 50100. Views MAC binding server view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534. Usage guidelines The specified port must be the port that listens to portal packets on the portal authentication server. Examples # Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.
You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface if the following conditions are met: • The portal authentication server is an HPE IMC server or the portal authentication mode on the interface is re-DHCP. •...
Usage guidelines If the specified maximum number is smaller than the number of current online portal users on the interface, the limit can be set successfully. The limit does not impact the online portal users. However, the device does not allow new portal users to log in from the interface until the number drops down below the limit.
Related commands portal mac-trigger-server portal apply web-server (interface view) Use portal [ ipv6 ] apply web-server to specify a portal Web server. The device redirects the HTTP requests sent by unauthenticated portal users to the portal Web server. Use undo portal [ ipv6 ] apply web-server to restore the default. Syntax portal [ ipv6 ] apply web-server server-name [ fail-permit ] undo portal [ ipv6 ] apply web-server...
mdc-admin Parameters ipv4-address: Specifies the IP address of an IPv4 online portal user. all: Specifies IPv4 and IPv6 online portal users on all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface. ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.
portal domain (interface view) Use portal [ ipv6 ] domain to specify a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain. Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain. Syntax portal [ ipv6 ] domain domain-name undo portal [ ipv6 ] domain...
Views Interface view Predefined user roles network-admin mdc-admin Parameters ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server. server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
mdc-admin Parameters ipv4-network-address: Specifies an IPv4 portal authentication subnet address. mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32. mask: Specifies the subnet mask in dotted decimal format. Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules).
Page 290
Predefined user roles network-admin mdc-admin Parameters rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295. destination: Specifies the destination information. source: Specifies the source information. ip ipv4-address: Specifies an IPv4 address for the portal-free rule. { mask-length | mask }: Specifies the subnet mask of the IPv4 address.
• Specify the source IP address as 2000::1/64, the destination IP address as 2001::1, and the destination TCP port number as 23. • Specify the interface as VLAN-interface 1. <Sysname> system-view [Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64 interface vlan-interface 1 With this rule, users in subnet 2000::1/64 do not need to pass portal authentication on VLAN-interface 1 when they access services provided on TCP port 23 of host 2001::1.
The configured host name cannot contain only asterisks (*). The fuzzy match feature takes effect only on HTTP or HTTPS requests initiated by Web browsers. You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists. Examples # Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.abc.com.
Examples # Configure source-based portal-free rule: specify the rule number as 3, source MAC address as 1-1-1, and source VLAN ID as 10. This rule allows the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without authentication. <Sysname>...
If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface. Examples # Enable online detection of IPv6 portal users on VLAN-interface 100.
Examples # Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on VLAN-interface 2. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname–Vlan-interface2] portal layer3 source 10.10.10.0 24 Related commands display portal portal free-all except destination portal local-web-server Use portal local-web-server to create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.
To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service. When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines: •...
Default Portal user login and logout logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This feature logs information about portal user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device.
[Sysname-portal-mac-trigger-server-mts] Related commands display portal mac-trigger-server portal apply mac-trigger-server portal max-user Use portal max-user to set the maximum number of total portal users allowed in the system. Use undo portal max-user to restore the default. Syntax portal max-user max-number undo portal max-user Default The total number of portal users allowed in the system is not limited.
Syntax portal nas-id-profile profile-name undo portal nas-id-profile Default No NAS-ID profile is specified for an interface. Views Interface view Predefined user roles network-admin mdc-admin Parameters profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters. Usage guidelines A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs.
Page 302
Predefined user roles network-admin mdc-admin Parameters 1: Uses format 1 for the NAS-Port-Id attribute. 2: Uses format 2 for the NAS-Port-Id attribute. 3: Uses format 3 for the NAS-Port-Id attribute. 4: Uses format 4 for the NAS-Port-Id attribute. Usage guidelines The NAS-Port-Id format supported by RADIUS servers varies by vendor.
Page 303
Identifier description of the access node, a string not AccessNodeIdentifier longer than 50 characters without spaces. ANI_frame Frame number of the access node, in the range of 0 to 31. ANI_slot Slot number of the access node, in the range of 0 to 127. Subslot number of the access node, in the range of 0 to ANI_subslot ANI_port...
Format 2 is SlotID00IfNOVlanID. • SlotID—Slot number, a string of 2 characters. • IfNO—Slot number, a string of 3 characters. • VlanID—VLAN ID, a string of 9 characters. Format 3 is SlotID00IfNOVlanIDDHCPoption. • SlotID—Slot number, a string of 2 characters. •...
Other outgoing packets on the interface are dropped. Examples # Enable outgoing packets filtering on VLAN-interface 20. <Sysname> system-view [Sysname] interface vlan-interface 20 [Sysname–Vlan-interface20] portal outbound-filter enable portal pre-auth domain Use portal [ ipv6 ] pre-auth domain to specify a preauthentication domain for portal users. Use undo portal [ ipv6 ] pre-auth domain to restore the default.
• You create the ISP domain after specifying it as the preauthentication domain. • You delete the specified ISP domain and then re-create it. If you change the preauthentication domain on an interface, the interface uses the new preauthentication domain for both new and existing preauthentication users. If authorization attributes in the preauthentication domain are modified, the modified attributes take effect only on new preauthentication users.
Usage guidelines You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation: • Portal users access the network through a subinterface of the portal-enabled interface. • The subinterface does not have an IP address. •...
Usage guidelines When the Rule ARP or ND entry feature is enabled for portal clients, ARP or ND entries for portal clients are Rule entries after the clients come online. The Rule ARP or ND entries will not age out and will be deleted immediately after the portal clients go offline.
portal server Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server. Use undo portal server to delete the specified portal authentication server. Syntax portal server server-name undo portal server server-name Default No portal authentication servers exist.
Page 310
undo portal user-detect Default Online detection of IPv4 portal users is disabled. Views Interface view Predefined user roles network-admin mdc-admin Parameters type: Specifies the detection type. • arp—ARP detection. • icmp—ICMP detection. retry retries: Specifies the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
[Sysname–Vlan-interface100] portal user-detect type arp retry 5 interval 10 idle 300 Related commands display portal portal user-dhcp-only (interface view) Use portal user-dhcp-only to allow only users with DHCP-assigned IP addresses to pass portal authentication. Use undo portal user-dhcp-only to restore the default. Syntax portal [ ipv6 ] user-dhcp-only undo portal [ ipv6 ] user-dhcp-only...
undo portal web-proxy port { port-number | all } Default No port numbers of Web proxy servers are specified. Proxied HTTP requests are dropped. Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies the port number of a Web proxy server. The value range for this argument is 1 to 65535.
Default No portal Web servers exist. Views System view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server.
Related commands display portal packet statistics server-detect (portal authentication server view) Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status. Use undo server-detect to disable portal authentication server detection.
[Sysname] portal server pts [Sysname-portal-server-pts] server-detect timeout 600 log Related commands portal server server-detect (portal Web server view) Use server-detect to enable portal Web server detection. Use undo server-detect to disable portal Web server detection. Syntax server-detect [ interval interval ] [ retry retries ] { log | trap } * undo server-detect Default Portal Web server detection is disabled.
Related commands portal web-server server-type Use server-type to specify the type of a portal authentication server or portal Web server. Use undo server-type to restore the default. Syntax server-type imc undo server-type Default The type of the portal authentication server and portal Web server is IMC. Views Portal authentication server view Portal Web server view...
Default The type of the MAC binding server is IMC. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters imc: Specifies the MAC binding server type as IMC. Examples # Specify the type of MAC binding server as imc. <Sysname>...
• Do not configure the HTTPS listening port number as the default HTTP listening port number • Do not configure the same listening port number for HTTP and HTTPS. • For the HTTPS-based local portal Web service and other services that use HTTPS: If they use the same SSL server policy, they can use the same TCP port number to listen to ...
[Sysname-portal-websvr-wbs] url http://www.test.com/portal Related commands display portal web-server url-parameter Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user. Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.
Usage guidelines You can configure multiple URL parameters. If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect. After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users.
undo user-sync Default Portal user synchronization is disabled for a portal authentication server. Views Portal authentication server view Predefined user roles network-admin mdc-admin Parameters timeout timeout: Specifies a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. Usage guidelines After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server.
undo version Default The version of the portal protocol is 1. Views MAC binding server view Predefined user roles network-admin mdc-admin Parameters version-number: Specifies the portal protocol version in the range of 1 to 3. Usage guidelines The specified portal protocol version must be the that required by the MAC binding server. Examples # Configure the device to use portal protocol version 2 to communicate with MAC binding server mts.
Usage guidelines A portal Web server belongs to only one MPLS L3VPN instance. Examples # Specify MPLS L3VPN instance abc for portal Web server wbs. <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] vpn-instance abc web-redirect url Use web-redirect url to enable the Web redirect feature. Use undo web-redirect url to disable the Web redirect feature.
Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.
Page 325
Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 32 Current secure MAC addresses Authorization : Permitted NAS-ID profile : Not configured Free VLANs : Not configured Open authentication : Disabled Table 31 Command output Field Description Port security...
Page 326
Field Description Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • secure. • Port mode userLogin. • userLoginSecure. • userLoginSecureExt. • macAddressOrUserLoginSecure. • macAddressOrUserLoginSecureExt. • userLoginWithOUI. For more information about port security modes, see Security Configuration Guide.
Field Description VLANs in which packets will not trigger authentication. Free VLANs If you do not configure free VLANs, this field displays Not configured. Open authentication Whether open authentication mode is enabled on the port. display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
Table 32 Command output Field Description MAC ADDR Blocked MAC address. Port having received frames with the blocked MAC Port address being the source address. VLAN ID ID of the VLAN to which the port belongs. number mac address(es) found Number of blocked MAC addresses.
--- Number of secure MAC addresses: 1 --- Table 33 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address. This field displays Secure for a secure STATE MAC address.
Usage guidelines As a best practice, disable this feature to prevent excessive output of logs for port security users. If you do not specify any parameters, this command enables all logging functions for port security users. Examples # Enable logging for intrusion protection. <Sysname>...
Examples # Enable open authentication mode on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] port-security authentication open Related commands display dot1x connection display mac-authentication connection port-security authentication open global port-security authentication open global Use port-security authentication open global to enable global open authentication mode. Use undo port-security authentication open global to disable global open authentication mode.
Related commands display dot1x connection display mac-authentication connection port-security authentication open port-security authorization ignore Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device). Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore...
Default The authorization-fail-offline feature is disabled. The device does not log off users that fail authorization. Views System view Predefined user roles network-admin mdc-admin Parameters quiet-period: Enables the quiet timer for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature.
undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: •...
mdc-admin Parameters vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of start-vlan-id to end-vlan-id. The value range for VLAN IDs is 1 to 4094. The end VLAN ID must be equal to or greater than the start VLAN Usage guidelines This command allows packets from the specified VLANs to not trigger 802.1X or MAC authentication on a port configured with any of the following features:...
Predefined user roles network-admin mdc-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for 3 minutes, which is not user configurable.
Usage guidelines This command enables the device to periodically detect traffic data from secure MAC addresses. If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the secure MAC addresses.
lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot. You can display dynamic secure MAC addresses by using the display port-security mac-address security command. The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses.
Page 339
vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094. Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot.
port-security mac-limit Use port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port. Use undo port-security mac-limit to restore the default. Syntax port-security mac-limit max-number per-vlan vlan-id-list undo port-security mac-limit per-vlan vlan-id-list Default The maximum number is 2147483647.
Related commands display dot1x display mac-authentication port-security mac-move permit Use port-security mac-move permit to enable MAC move on the device. Use undo port-security mac-move permit to disable MAC move on the device. Syntax port-security mac-move permit undo port-security mac-move permit Default MAC move is disabled on the device.
Page 342
Default Port security does not limit the number of secure MAC addresses on a port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port.
port-security nas-id-profile Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security. Use undo port-security nas-id-profile to restore the default. Syntax port-security nas-id-profile profile-name undo port-security nas-id-profile Default No NAS-ID profile is applied to port security globally or on any port. Views System view Layer 2 Ethernet interface view...
Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default The NTK feature is not configured on a port and all frames are allowed to be sent. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin...
Predefined user roles network-admin mdc-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value. Usage guidelines You can configure multiple OUI values.
Page 346
Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses.
Page 347
Keyword Security mode Description This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first.
When a short aging time (less than 60 seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device performance. Examples # Set the secure MAC aging timer to 30 minutes.
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Table 34 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the aging Password aging time. Whether the minimum password length restriction feature is enabled Password length and, if enabled, the setting. Whether the password composition restriction feature is enabled Password composition and, if enabled, the settings.
ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any parameters, this command displays information about all users in the password control blacklist. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.
Predefined user roles network-admin mdc-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled.
Page 356
undo password-control aging Default A password expires after 90 days. The password aging time for a user group equals the global setting. The password aging time for a local user equals that of the user group to which the local user belongs.
password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.
Views System view User group view Local user view Predefined user roles network-admin mdc-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Page 359
The password using the global composition policy must contain a minimum of one character type and a minimum of one character for each type. In FIPS mode: The password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type.
# Specify that the password of device management user abc must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5 Related commands display local-user display password-control display user-group...
password-control expired-user-login Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires. Use undo password-control expired-user-login to restore the defaults. Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires.
Predefined user roles network-admin mdc-admin Parameters max-record-number: Specifies the maximum number of history password records for each user. The value range is 2 to 15. Usage guidelines When the number of history password records reaches the maximum number, the subsequent history record overwrites the earliest one.
Local user view Predefined user roles network-admin mdc-admin Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode. Usage guidelines The minimum length setting depends on the view: •...
Default The maximum account idle time is 90 days. Views System view Predefined user roles network-admin mdc-admin Parameters idle-time: Specifies the maximum account idle time in days. The value range is 0 to 365. 0 means no restriction for account idle time. Usage guidelines If a user account is idle for this period of time, the account becomes invalid and can no longer be used to log in to the device.
Page 365
mdc-admin Parameters login-times: Specifies the maximum number of consecutive login failures. The value range is 2 to 10. exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts. •...
# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock. [Sysname] display password-control blacklist Username: test IP: 192.168.44.1 Login failures: 4 Lock flag: lock Blacklist items matched: 1. # Verify that the user at 192.168.44.1 cannot use this user account to log in.
mdc-admin Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days. <Sysname> system-view [Sysname] password-control super aging 10 Related commands display password-control password-control aging password-control super composition Use password-control super composition to configure the composition policy for super...
Examples # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. <Sysname> system-view [Sysname] password-control super composition type-number 4 type-length 5 Related commands display password-control password-control composition password-control super length Use password-control super length to set the minimum length for super passwords.
Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours. Views System view Predefined user roles network-admin mdc-admin Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
<Sysname> reset password-control blacklist user-name test Are you sure to delete the specified user in blacklist? [Y/N]: Related commands display password-control blacklist reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ super [ role role-name ] | user-name user-name ] Views User view Predefined user roles...
Keychain commands accept-lifetime utc Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode. Use undo accept-lifetime to restore the default. Syntax accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } undo accept-lifetime Default...
<Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21 accept-tolerance Use accept-tolerance to set a tolerance time for accept keys in a keychain. Use undo accept-tolerance to restore the default. Syntax accept-tolerance { value | infinite } undo accept-tolerance Default...
undo authentication-algorithm Default No authentication algorithm is specified for a key. Views Key view Predefined user roles network-admin mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm. hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm. md5: Specifies the MD5 authentication algorithm. Usage guidelines If an application does not support the authentication algorithm specified for a key, the application cannot use the key for packet authentication.
Accept status : Active Key ID Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g== Algorithm : md5 Send lifetime : 01:00:01 2015/01/25 to 01:00:00 2015/01/27 Send status : Inactive Accept lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/27 Accept status : Active Table 36 Command output Field Description Mode...
Parameters key-id: Specifies a key ID in the range of 0 to 281474976710655. Usage guidelines The keys in a keychain must have different key IDs. Examples # Create key 1 and enter its view. <Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] keychain...
key-string Use key-string to configure a key string for a key. Use undo key-string to restore the default. Syntax key-string { cipher | plain } string undo key-string Default No key string is configured for a key. Views Key view Predefined user roles network-admin mdc-admin...
Predefined user roles network-admin mdc-admin Parameters start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59. start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
mdc-admin Parameters hmac-md5: Specifies the HMAC-MD5 authentication algorithm, which provides a key length of 16 bytes. md5: Specifies the MD5 authentication algorithm, which provides a key length of 16 bytes. algorithm-id: Specifies an algorithm ID in the range of 1 to 63. Usage guidelines If an application uses keychain authentication during TCP connection establishment, the incoming and outgoing TCP packets will carry the TCP Enhanced Authentication Option.
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Key code: 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1...
Page 385
Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer host public key, including its key code.
Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 39 Command output Field Description Type Key type: RSA, DSA or ECDSA. Modulus Key modulus length in bits. Name Name of the peer host public key. Related commands public-key peer public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer host public key.
[Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands display public-key local public display public-key peer public-key peer public-key local create Use public-key local create to create local key pairs. Syntax In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ] In FIPS mode: public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name...
Page 388
Type Default name dsakey ecdsakey ECDSA Usage guidelines The key algorithm must be the same as required by the security application. When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, and the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve.
Page 389
...++++++ .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
..+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # In FIPS mode, create a local RSA key pair with the default name. <Sysname>...
Page 391
Views System view Predefined user roles network-admin mdc-admin Parameters dsa: Specifies the DSA key pair type. ecdsa: Specifies the ECDSA key pair type. rsa: Specifies the RSA key pair type. name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters.
Related commands public-key local create public-key local export dsa Use public-key local export dsa to export a local DSA host public key. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin...
Page 393
<Sysname> system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-2011/05/12" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local DSA key pair with the default name in OpenSSH format. <Sysname>...
Related commands public-key local create public-key peer import sshkey public-key local export ecdsa Use public-key local export ecdsa to export a local ECDSA host public key. Syntax public-key local export ecdsa [ name key-keyname ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
<Sysname> system-view [Sysname] public-key local export ecdsa openssh key.pub # Display the host public key of the local ECDSA key pair with the default name in SSH 2.0 format. <Sysname> system-view [Sysname] public-key local export ecdsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "ecdsa-sha2-nistp256-2014/07/06"...
Page 396
For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command displays the key on the monitor screen. Usage guidelines You can use this command to export a local RSA host public key before distributing it to a peer device.
Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If the peer device is an HPE device, use the display public-key local public command to display and record its public key. Examples...
<Sysname> system-view [Sysname] public-key peer key1 Enter public key view. Return to system view with "peer-public-key end" command. [Sysname-pkey-public-key-key1] Related commands display public-key local public display public-key peer peer-public-key end public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from a public key file. Use undo public-key peer to remove a peer host public key.
Page 399
Related commands display public-key peer public-key local export dsa public-key local export ecdsa public-key local export rsa...
PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table Table 42 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified Any FQDN or IP address contains the specified attribute attribute value.
Views PKI domain view Predefined user roles network-admin mdc-admin Parameters name: Specifies the trusted CA by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate in a PKI domain, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the CA server specified for the PKI domain.
• State and country where the entity resides. • FQDN. • IP address. You can specify only one PKI entity for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa. <Sysname>...
Page 404
Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ password { cipher | simple } string ] | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles network-admin mdc-admin...
certificate request polling Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval interval } undo certificate request polling { count | interval } Default The polling interval is 20 minutes, and the maximum number of attempts is 50.
undo certificate request url Default The URL of the certificate request reception authority is not specified. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters.
Predefined user roles network-admin mdc-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name. Examples # Set the common name to test for PKI entity en. <Sysname>...
Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin mdc-admin Usage guidelines A CRL is a list of revoked certificates signed and published by a CA. Revoked certificates should no longer be trusted. Enable CRL checking to ensure that the device only accepts certificates that have not been revoked by the issuing CA.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option. Usage guidelines To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository in the following order: CRL repository specified in the PKI domain by using this command.
Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # Display information about certificate-based access control policy mypolicy. <Sysname> display pki certificate access-control-policy mypolicy Access control policy name: mypolicy Rule 1 deny mygroup1...
Page 411
Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups. Examples # Display information about certificate attribute group mygroup. <Sysname>...
display pki certificate domain Use display pki certificate domain to display information about certificates. Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Page 413
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=docm, OU=rnd, CN=rootca Validity Not Before: Jan 6 02:51:41 2011 GMT Not After : Dec 7 03:12:05 2013 GMT Subject: C=cn, O=ccc, OU=ppp, CN=rootca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:...
Page 414
52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67: d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7: 4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e: 12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21: 46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd: a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12: bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs...
Page 415
dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a: 65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28: 04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64: cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4: 50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f: 3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9: de:18:9d:c1 # Display brief information about all peer certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in the PKI domain aaa. <Sysname>...
Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:docm.com X509v3 Subject Key Identifier: 3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26 X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.sec.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands pki domain pki retrieve-certificate display pki certificate request-status Use display pki certificate request-status to display certificate request status.
Page 417
Character name Symbol Character name Symbol Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe Usage guidelines If you do not specify a PKI domain, this command displays the certificate request status for all PKI domains. Examples # Display certificate request status for PKI domain aaa.
Related commands certificate request polling pki domain pki retrieve-certificate display pki crl domain Use display pki crl domain to display information about the CRL saved at the local for a PKI domain. Syntax display pki crl domain domain-name Views Any view Predefined user roles network-admin network-operator...
Page 420
Syntax fqdn fqdn-name-string undo fqdn Default No FQDN is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname. Usage guidelines An FQDN uniquely identifies a PKI entity on a network.
Usage guidelines Use this command to assign an IP address to a PKI entity or specify an interface for the entity. The interface's primary IPv4 address will be used as the IP address of the PKI entity. If you specify an interface, make sure the interface is assigned an IP address before the PKI entity requests a certificate.
[Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.1 # Specify LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1 Related commands pki retrieve-certificate pki retrieve-crl...
Default No organization name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin mdc-admin Parameters org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set the organization name to abc for PKI entity en. <Sysname>...
Syntax pki abort-certificate-request domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 50 Special characters Character name...
Default No certificate-based access control policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate-based access control policy contains a set of access control rules that permit or deny access to the device based on the attributes in the requesting client's certificate.
Usage guidelines A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates. A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command).
serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a serial number, this command removes all peer certificates in the PKI domain. Usage guidelines When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.
Default No PKI domains exist. Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 52 Special characters Character name Symbol Character name...
Parameters entity-name: Specifies a name for a PKI entity, a case-insensitive string of 1 to 31 characters. Usage guidelines A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address.
Page 430
all: Specifies both CA and local certificates. The RA certificate is excluded. ca: Specifies the CA certificate. local: Specifies the local certificates or the local certificates and their private keys. passphrase p12-key: Specifies a password for encrypting the private key of a local PKCS12 certificate.
Page 431
When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. If you do not specify the cryptographic algorithm and the challenge password, this command does not export the private keys of the local certificates.
Page 435
W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j 0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o= -----END CERTIFICATE----- # Export the CA certificate in the PKI domain to a file named cacert in PEM format. <Sysname> system-view [Sysname] pki export domain domain1 pem ca filename cacert # Display the CA certificate or the CA certificate chain in the PKI domain on the terminal. <Sysname>...
-----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123. <Sysname> system-view [Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der # Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
Page 437
Usage guidelines Use this command to import a certificate in the following situations: • The CRL repository is not specified or the CA server does not support SCEP. • The certificate is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format can contain key pairs.
Page 438
If a matching key pair is found, the device asks whether you want to overwrite the existing key pair on the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI domain name).
Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted. Overwrite it? [Y/N]:y The system is going to save the key pair.
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked. pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
Page 442
Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 56 Special characters Character name Symbol Character name Symbol Tilde...
<Sysname> system-view [Sysname] pki retrieve-certificate domain aaa peer en1 Related commands display pki certificate pki delete-certificate pki retrieve-crl Use pki retrieve-crl to obtain CRLs and save them locally. Syntax pki retrieve-crl domain domain-name Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Examples # Obtain CRLs from the CRL repository. <Sysname> system-view [Sysname] pki retrieve-crl domain aaa Related commands crl url ldap server pki storage Use pki storage to specify the storage path for the certificates or CRLs. Use undo pki storage to restore the default. Syntax pki storage { certificates | crls } dir-path undo pki storage { certificates | crls }...
<Sysname> system-view [Sysname] pki storage crls pki-new pki validate-certificate Use pki validate-certificate to verify the validity of certificates. Syntax pki validate-certificate domain domain-name { ca | local } Views System view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 58 Special characters...
Page 446
[Sysname] pki validate-certificate domain aaa ca Verifying certificate..Serial Number: f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=abc OU=test CN=aca Verify result: OK Verifying certificate..Serial Number: 5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6 Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in PKI domain aaa.
Related commands crl check pki domain public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to restore the default. Syntax public-key dsa name key-name [ length key-length ] undo public-key Default No key pair is specified for certificate request. Views PKI domain view Predefined user roles...
Related commands pki import public-key local create public-key ecdsa Use public-key ecdsa to specify an ECDSA key pair for certificate request. Use undo public-key to restore the default. Syntax In non-FIPS mode: public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] undo public-key In FIPS mode: public-key ecdsa name key-name [ secp256r1 | secp384r1 | secp521r1 ]...
The specified elliptic curve takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and curve before submitting a certificate request. The curve parameter is ignored if the specified key pair already exists or is already contained in an imported certificate.
Usage guidelines You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways: • Use the public-key local create command to generate a key pair. • An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
Page 451
undo root-certificate fingerprint Default No fingerprint is set for verifying the root CA certificate. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters md5: Sets an MD5 fingerprint. sha1: Sets an SHA1 fingerprint. string: Sets the fingerprint in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters.
# Specify an SHA1 fingerprint for verifying the root CA certificate. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 Related commands certificate request mode pki import pki retrieve-certificate rule Use rule to create an access control rule. Use undo rule to remove an access control rule.
Examples # Create rule 1 to permit all certificates that match certificate attribute group mygroup. <Sysname> system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup Related commands attribute display pki certificate access-control-policy pki certificate attribute-group source Use source to specify the source IP address for PKI protocol packets. Use undo source to restore the default.
<Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] source ipv6 1::8 # Use the IP address of VLAN-interface 1 as the source IP address for PKI protocol packets. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] source ip interface vlan-interface 1 # Use the IPv6 address of VLAN-interface 1 as the source IPv6 address for PKI protocol packets. <Sysname>...
Page 455
Default No extensions for certificates are specified. A certificate can be used for IKE, SSL clients, and SSL servers. Views PKI domain view Predefined user roles network-admin mdc-admin Parameters ike: Specifies the IKE certificate extension so IKE peers can use the certificates. ssl-client: Specifies the SSL client certificate extension so the SSL client can use the certificates.
IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
[Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure a description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default. Syntax description text undo description Default No description is configured for an IPsec policy, IPsec policy template, or IPsec profile. Views IPsec policy view IPsec policy template view...
Page 458
mdc-operator Parameters ipv6-policy: Displays information about IPv6 IPsec policies. policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec policies.
Page 459
Outbound ESP setting: ESP SPI: 1500 (0x000005dc) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------- Sequence number: 2 Mode: ISAKMP ----------------------------- The policy configuration is incomplete: Remote-address not set ACL not specified Transform-set not set Description: This is my first IPv4 Isakmp policy Traffic Flow Confidentiality: Enabled Security data flow: Selector mode: standard...
Field Description IKEv2 profile IKEv2 profile used by the IPsec policy. SA duration(time based) Time-based IPsec SA lifetime, in seconds. SA duration(traffic based) Traffic-based IPsec SA lifetime, in kilobytes. SA idle time Idle timeout of the IPsec SA, in seconds. AH string key.
Page 463
If you specify an IPsec policy template name and a sequence number, this command displays information about the specified IPsec policy template entry. If you specify an IPsec policy template name without any sequence number, this command displays information about all IPsec policy template entries with the specified name.
Table 60 Command output Field Description IPsec Policy Template IPsec policy template name. Sequence number Sequence number of the IPsec policy template entry. Description Description of the IPsec policy template. Traffic Flow Confidentiality Whether Traffic Flow Confidentiality (TFC) padding is enabled. Security data flow ACL used by the IPsec policy template.
Page 466
network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs. interface interface-type interface-number: Specifies an interface by its type and number. ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.
Page 467
<Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display detailed information about all IPsec SAs. <Sysname> display ipsec sa ------------------------------- Interface: Vlan-interface100 ------------------------------- ----------------------------- IPsec policy: r2 Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 3 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VRF: vp1 Extended Sequence Numbers enable: Y...
Page 468
------------------------------- Global IPsec SA ------------------------------- ----------------------------- IPsec profile: profile Mode: Manual ----------------------------- Encapsulation mode: transport [Inbound AH SA] SPI: 1234563 (0x0012d683) Connection ID: 64426789452 Transform set: AH-SHA1 No duration limit for this SA [Outbound AH SA] SPI: 1234563 (0x002d683) Connection ID: 64428999468 Transform set: AH-SHA1 No duration limit for this SA Table 63 Command output...
Field Description Path MTU Path MTU of the IPsec SA. Tunnel Local and remote addresses of the IPsec tunnel. local address Local end IP address of the IPsec tunnel. remote address Remote end IP address of the IPsec tunnel. Flow Information about the data flow protected by the IPsec tunnel.
Page 470
Parameters tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels. Usage guidelines If you do not specify any parameters, this command displays statistics for all IPsec packets.
Table 64 Command output Field Description Received/sent packets Number of received/sent IPsec-protected packets. Received/sent bytes Number of bytes of received/sent IPsec-protected packets. Dropped packets (received/sent) Number of dropped IPsec-protected packets (received/sent). No available SA Number of packets dropped due to lack of available IPsec SA. Wrong SA Number of packets dropped due to wrong IPsec SA.
display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel { brief | count | tunnel-id tunnel-id } Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number of IPsec tunnels.
Page 474
Field Description Valid SPI in the outbound direction of the IPsec tunnel. Outbound SPI If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines. Status of the IPsec SA, which can only be Active. Status # Display the number of IPsec tunnels.
inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL 3100 Table 67 Command output Field Description Tunnel ID IPsec ID, used to uniquely identify an IPsec tunnel. IPsec tunnel status, which can only be Active.
Predefined user roles network-admin mdc-admin Parameters transport: Uses the transport mode for IP packet encapsulation. tunnel: Uses the tunnel mode for IP packet encapsulation. Usage guidelines IPsec supports the following encapsulation modes: • Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers.
mdc-admin Parameters both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number. Usage guidelines The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. Usage guidelines In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes effect.
Page 479
aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key. aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2. aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.
ike-profile Use ike-profile to specify an IKE profile for an IPsec policy, IPsec policy template, or IPsec profile. Use undo ike-profile to restore the default. Syntax ike-profile profile-name undo ike-profile Default No IKE profile is specified for an IPsec policy, IPsec policy template, or IPsec profile. Views IPsec policy view IPsec policy template view...
Default No IKEv2 profile is specified. Views IPsec policy view IPsec policy template view Predefined user roles network-admin mdc-admin Parameters profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used for IKEv2 negotiation.
Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy entry, in the range of 1 to 65535. isakmp: Establishes IPsec SAs through IKE negotiation.
Page 483
Views System view Predefined user roles network-admin mdc-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. A smaller number indicates a higher priority.
Page 484
Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies an IPsec policy name, a case-insensitive string of 1 to 63 characters. local-address interface-type interface-number: Specifies the shared source interface by its type and number. Usage guidelines For high availability, two interfaces can operate in backup mode.
Parameters ipv6-policy-template: Specifies an IPv6 IPsec policy template. policy-template: Specifies an IPv4 IPsec policy template. template-name: Specifies a name for the IPsec policy template, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy template entry, in the range of 1 to 65535.
Usage guidelines IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste. In some situations, service data packets are received in a different order than their original order.
[Sysname] ipsec anti-replay window 128 Related commands ipsec anti-replay check ipsec apply Use ipsec apply to apply an IPsec policy to an interface. Use undo ipsec apply to remove an IPsec policy application from an interface. Syntax ipsec apply { ipv6-policy | policy } policy-name undo ipsec apply { ipv6-policy | policy } Default No IPsec policy is applied to an interface.
Syntax ipsec decrypt-check enable undo ipsec decrypt-check enable Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy.
Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode. This command does not change the DF bit for the original IP header of IPsec packets. If multiple interfaces use an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.
Examples # Configure the device to fragment packets after IPsec encapsulation. <Sysname>system-view [Sysname] ipsec fragmentation after-encryption ipsec global-df-bit Use ipsec global-df-bit to configure the DF bit for the outer IP header of IPsec packets on all interfaces. Use undo ipsec global-df-bit to restore the default. Syntax ipsec global-df-bit { clear | copy | set } undo ipsec global-df-bit...
Use undo ipsec limit max-tunnel to restore the default. Syntax ipsec limit max-tunnel tunnel-limit undo ipsec limit max-tunnel Default The number of supported IPsec tunnels varies by the device model. Views System view Predefined user roles network-admin mdc-admin Parameters tunnel-limit: Specifies the maximum number of IPsec tunnels, in the range of 1 to 4294967295. Usage guidelines To maximize concurrent performance of IPsec when memory is sufficient, increase the maximum number of IPsec tunnels.
failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded. Examples # Enable logging for IPsec packets. <Sysname> system-view [Sysname] ipsec logging packet enable ipsec profile Use ipsec profile to create an IPsec profile and enter its view, or enter the view of an existing IPsec profile.
Default The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes. Views System view Predefined user roles network-admin mdc-admin Parameters time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.
Views System view Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds. Usage guidelines This feature applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view, IPsec policy template view, or IPsec profile view, which takes precedence over the global IPsec SA timeout.
Examples # Create an IPsec transform set named tran1 and enter its view. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-transform-set-tran1] Related commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address ipv4-address undo local-address...
Use undo protocol to restore the default. Syntax protocol { ah | ah-esp | esp } undo protocol Default The IPsec transform set uses the ESP protocol. Views IPsec transform set view Predefined user roles network-admin mdc-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
Usage guidelines The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets. Examples # Enable the QoS pre-classify feature. <Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] qos pre-classify redundancy replay-interval Use redundancy replay-interval to set the anti-replay window lower bound value synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.
[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test # Change the IP address for the host test to 2.2.2.2. [Sysname] ip host test 2.2.2.2 In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host. # Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
mdc-admin Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics. Examples # Clear IPsec packet statistics. <Sysname>...
[Sysname-ipsec-policy-isakmp-1-1] reverse-route dynamic [Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. You can see a created static route. (Other information is not shown.) [Sysname] display ip routing-table Destinations : 1 Routes : 1 Destination/Mask Proto Cost NextHop Interface 3.0.0.0/24 Static 60 1.1.1.2 Vlan100 Related commands...
Related commands ipsec policy ipsec policy-template reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The route tag value is 0 for the static routes created by IPsec RRI.
undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy, IPsec policy template, or IPsec profile is the current global SA lifetime. Views IPsec policy view IPsec policy template view IPsec profile view Predefined user roles network-admin mdc-admin Parameters...
Page 507
undo sa hex-key authentication { inbound | outbound } { ah | esp } Default No hexadecimal authentication keys are configured for manual IPsec SAs. Views IPsec policy view IPsec profile view Predefined user roles network-admin mdc-admin Parameters inbound: Specifies a hexadecimal authentication key for the inbound SA. outbound: Specifies a hexadecimal authentication key for the outbound SA.
sa string-key sa hex-key encryption Use sa encryption-hex to configure an encryption key for a manual IPsec SA. Use undo sa encryption-hex to delete an encryption key for a manual IPsec SA. Syntax sa hex-key encryption { inbound | outbound } esp { cipher | simple } string undo sa hex-key encryption { inbound | outbound } esp Default No hexadecimal encryption keys are configured for manual IPsec SAs.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel. If you execute this command multiple times for the same direction, the most recent configuration takes effect.
Examples # Set the IPsec SA idle timeout to 600 seconds for IPsec policy map. <Sysname> system-view [Sysname] ipsec policy map 100 isakmp [Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600 Related commands display ipsec sa ipsec sa idle-time sa spi Use sa spi to configure an SPI for IPsec SAs. Use undo sa spi to remove the SPI.
area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP4+, the scope consists of BGP4+ peers or a BGP4+ peer group. Examples # Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA. The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format).
Page 513
mdc-admin Parameters acl-number: Specifies an ACL by its number in the range of 3000 to 3999. name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode.
[Sysname] snmp-agent trap enable ipsec global # Enable SNMP notifications for events of creating IPsec tunnels. [Sysname] snmp-agent trap enable ipsec tunnel-start tfc enable Use tfc enable to enable Traffic Flow Confidentiality (TFC) padding. Use undo tfc enable to disable TFC padding. Syntax tfc enable undo tfc enable...
Page 516
Default No IPsec transform set is specified for an IPsec policy, IPsec policy template, or IPsec profile. Views IPsec policy view IPsec policy template view IPsec profile view Predefined user roles network-admin mdc-admin Parameters transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters.
IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. aaa authorization Use aaa authorization to enable IKE AAA authorization.
Examples # Create IKE profile profile1. <Sysname> system-view [Sysname] ike profile profile1 # Enable AAA authorization. Specify ISP domain abc and username test. [Sysname-ike-profile-profile1] aaa authorization domain abc username test authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.
authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles...
Page 520
Use undo certificate domain to remove a PKI domain for signature authentication. Syntax certificate domain domain-name undo certificate domain domain-name Default No PKI domains are specified for signature authentication. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. Usage guidelines You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.
client-authentication Use client-authentication to enable client authentication. Use undo client-authentication to disable client authentication. Syntax client-authentication xauth undo client-authentication Default Client authentication is disabled. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters xauth: Uses Extended Authentication within ISAKMP/Oakley (XAUTH) for authentication. Usage guidelines Client authentication enables an IPsec gateway to authenticate remote users through a RADIUS server in IKE negotiation.
Page 522
Predefined user roles network-admin mdc-admin Parameters text: Specifies the description, a case-sensitive string of 1 to 80 characters. Usage guidelines When multiple IKE proposals exist, you configure different descriptions for them to distinguish them. Examples # Configure a description of test for IKE proposal 1. <Sysname>...
Usage guidelines A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network. Examples # Specify the 2048-bit Diffie-Hellman group group1 to be used for key negotiation in IKE phase 1 in IKE proposal 1.
Field Description Authentication algorithm used in the IKE proposal: • MD5—HMAC-MD5 algorithm. • SHA1—HMAC-SHA1 algorithm. Authentication algorithm • SHA256—HMAC-SHA256 algorithm. • SHA384—HMAC-SHA384 algorithm. • SHA512—HMAC-SHA512 algorithm. Encryption algorithm used by the IKE proposal: • 3DES-CBC—168-bit 3DES algorithm in CBC mode. •...
Page 525
Usage guidelines If you do not specify any parameters, this command displays summary information about all IKE SAs. Examples # Display summary information about all IKE SAs. <Sysname> display ike sa Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY Table 69 Command output Field Description...
Page 526
Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Enabled Assigned IP address: 192.168.2.1 # Display detailed information about the IKE SA with a remote address of 4.4.4.5. <Sysname> display ike sa verbose remote-address 4.4.4.5 --------------------------------------------- Connection ID: 2 Outside VPN:...
Field Description Role of the IKE negotiation entity: Initiator or Responder. Transmitting entity Local IP IP address of the local gateway. Local ID type Identifier type of the local gateway. Local ID Identifier of the local gateway. Remote IP IP address of the remote gateway. Remote ID type Identifier type of the remote gateway.
Predefined user roles network-admin mdc-admin Parameters interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds. retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.
Views IKE proposal view Predefined user roles network-admin mdc-admin Parameters 3des-cbc: Specifies the 3DES algorithm in CBC mode. The 3DES algorithm uses a 168-bit key for encryption. aes-cbc-128: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 128-bit key for encryption.
Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines As a best practice, specify the aggressive mode at the local end if the following conditions are met: • The local end, for example, a dialup user, obtains an IP address automatically. •...
Examples # Configure an IKE IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask 255.255.255.0. <Sysname> system-view [Sysname] ike address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0 # Configure an IKE IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask length 32.
Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. <Sysname> system-view [Sysname] ike dpd interval 10 retry 5 on-demand Related commands ike identity Use ike identity to specify the global identity used by the local end during IKE negotiations. Use undo ike identity to restore the default.
Examples # Specify IP address 2.2.2.2 as the identity. <sysname> system-view [sysname] ike identity address 2.2.2.2 Related commands local-identity ike signature-identity from-certificate ike invalid-spi-recovery enable Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ike invalid-spi-recovery enable to disable invalid SPI recovery. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable...
Syntax ike keepalive interval interval undo ike keepalive interval Default No IKE keepalives are sent. Views System view Predefined user roles network-admin mdc-admin Parameters interval: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure IKE DPD instead of the IKE keepalive feature, unless IKE DPD is not supported on the peer.
Parameters seconds: Specifies the number of seconds between IKE keepalives. The value range for this argument is 20 to 28800. Usage guidelines If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
[Sysname] ike keychain key1 [Sysname-ike-keychain-key1] Related commands authentication-method pre-shared-key ike limit Use ike limit to set the maximum number of half-open or established IKE SAs. Use undo ike limit to restore the default. Syntax ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit } undo ike limit { max-negotiating-sa | max-sa } Default There is no limit to the maximum number of half-open or established IKE SAs.
Use undo ike nat-keepalive to restore the default. Syntax ike nat-keepalive seconds undo ike nat-keepalive Default The NAT keepalive interval is 20 seconds. Views System view Predefined user roles network-admin mdc-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Usage guidelines This command takes effect only for a device that resides in the private network behind a NAT gateway.
Examples # Create IKE profile 1 and enter its view. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] ike proposal Use ike proposal to create an IKE proposal and enter its view, or enter the view of an existing IKE proposal. Use undo ike proposal to delete an IKE proposal.
<Sysname> system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] Related commands display ike proposal ike signature-identity from-certificate Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication. Use undo ike signature-identity from-certificate to restore the default. Syntax ike signature-identity from-certificate undo ike signature-identity from-certificate...
Syntax inside-vpn vpn-instance vpn-instance-name undo inside-vpn Default No inside VPN instance is specified for an IKE profile. The device forwards protected data to the VPN instance where the interface that receives the data resides. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters...
Usage guidelines You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. Examples # Specify IKE keychain abc for IKE profile 1. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] keychain abc Related commands ike keychain...
The initiator uses the local ID to identify itself to the responder. The responder compares the initiator's ID with the peer IDs configured by the match remote command to look for a matching IKE profile. An IKE profile can have only one local ID. An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.
You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you specified IKE keychain A before specifying IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE keychain A and the peer ID 2.2.2.0/24 for IKE keychain B.
An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a higher priority, you can configure this command for the profile. For example, suppose you configured IKE profile A before configuring IKE profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKE profile B.
address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching. The prefix-length argument is in the range of 0 to 128. • address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching.
[Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&! Related commands authentication-method keychain priority (IKE keychain view) Use priority to specify a priority for an IKE keychain. Use undo priority to restore the default. Syntax priority priority undo priority Default The priority of an IKE keychain is 100. Views IKE keychain view Predefined user roles...
Default The priority of an IKE profile is 100. Views IKE profile view Predefined user roles network-admin mdc-admin Parameters priority priority: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number.
Examples # Specify IKE proposal 10 for IKE profile prof1. <Sysname> system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] proposal 10 Related commands ike proposal reset ike sa Use reset ike sa to delete IKE SAs. Syntax reset ike sa [ connection-id connection-id ] Views User view Predefined user roles...
reset ike statistics Use reset ike statistics command to clear IKE MIB statistics. Syntax reset ike statistics Views User view Predefined user roles network-admin mdc-admin Examples # Clears IKE MIB statistics. <Sysname> reset ike statistics Related commands snmp-agent trap enable ike sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal.
[Sysname-ike-proposal-1] sa duration 600 Related commands display ike proposal snmp-agent trap enable ike Use snmp-agent trap enable ike command to enable SNMP notifications for IKE. Use undo snmp-agent trap enable ike to disable SNMP notifications for IKE. Syntax snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *...
Page 553
tunnel-stop: Specifies notifications about events of deleting IKE tunnels. unsupport-exch-type: Specifies notifications about negotiation-type-unsupported failures. Usage guidelines If you do not specify any keywords, this command enables or disables all SNMP notifications for IKE. To generate and output SNMP notifications for a specific IKE failure type or event type, perform the following tasks: Enable SNMP notifications for IKE globally.
# Enable AAA authorization. Specify ISP domain name abc and username test. [Sysname-ikev2-profile-profile1] aaa authorization domain abc username test Related commands display ikev2 profile address Use address to specify the IP address or IP address range of an IKEv2 peer. Use undo address to restore the default.
authentication-method Use authentication-method to specify the local or remote identity authentication method. Use undo authentication-method to remove the local or remote identity authentication method. Syntax authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature } undo authentication-method local undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature }...
# Specify PKI domain abc for signature. Specify PKI domain def for verification. [Sysname-ikev2-profile-profile1] certificate domain abc sign [Sysname-ikev2-profile-profile1] certificate domain def verify Related commands authentication-method pki domain config-exchange Use config-exchange to enable configuration exchange. Use undo config-exchange to disable configuration exchange. Syntax config-exchange { request | set { accept | send } } undo config-exchange { request | set { accept | send } }...
Page 559
# Enable the local end to add the configuration request payload to the request message of IKE_AUTH exchange. [Sysname-ikev2-profile-profile1] config-exchange request Related commands aaa authorization display ikev2 profile Use dh to specify DH groups to be used in IKEv2 key negotiation. Use undo group to restore the default.
Field Description Match local address IPv4 address to which the IKEv2 policy can be applied. Match local address ipv6 IPv6 address to which the IKEv2 policy can be applied. Match VRF VPN instance to which the IKEv2 policy can be applied. Proposal IKEv2 proposal that the IKEv2 policy uses.
Domain2 SA duration: 500 DPD: Interval 32, retry 23, periodic Config exchange: Request, Set send, Set accept NAT keepalive: 10 AAA authorization: Domain domain1, username ikev2 Table 72 Command output Field Description IKEv2 profile Name of the IKEv2 profile. Priority Priority of the IKEv2 profile.
Page 563
Syntax display ikev2 proposal [ name | default ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters. default: Specifies the default IKEv2 proposal. Usage guidelines This command displays IKEv2 proposals in descending order of priorities.
display ikev2 sa Use display ikev2 sa to display the IKEv2 SA information. Syntax display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ] Views Any view Predefined user roles...
Page 565
1.1.1.1/500 1.1.1.2/500 Status: IN-NEGO: Negotiating, EST: Established, DEL: Deleting Table 74 Command output Field Description Tunnel ID ID of the IPsec tunnel to which the IKEv2 SA belongs. Local Local IP address of the IKEv2 SA. Remote Remote IP address of the IKEv2 SA. Status of the IKEv2 SA: •...
Page 566
Remote next message ID: 0 Pushed IP address: 192.168.1.5 Assigned IP address: 192.168.2.24 # Display detailed IKEv2 SA information for the remote IP address 1.1.1.2. <Sysname> display ikev2 sa remote 1.1.1.2 verbose Tunnel ID: 1 Local IP/Port: 1.1.1.1/500 Remote IP/Port: 1.1.1.2/500 Outside VRF: - Inside VRF: - Local SPI: 8f8af3dbf5023a00...
Page 567
Field Description Remote IP/Port IP address and port number of the remote security gateway. Name of the VPN instance to which the protected outbound data flow belongs. Outside VRF If the protected outbound data flow belongs to the public network, this field displays a hyphen (-). Name of the VPN instance to which the protected inbound data flow belongs.
hostname Use hostname to specify the host name of an IKEv2 peer. Use undo hostname to restore the default. Syntax hostname name undo hostname Default The IKEv2 peer's host name is not specified. Views IKEv2 peer view Predefined user roles network-admin mdc-admin Parameters...
Views IKEv2 peer view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the peer. ipv6 ipv6-address: Specifies the IPv6 address of the peer. fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
Views IKEv2 profile view Predefined user roles network-admin mdc-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID. dn: Uses the DN in the local certificate as the local ID. email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
Parameters group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters. start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.
responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation. This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.
[Sysname] ikev2 dpd interval 15 on-demand # Configure the device to trigger IKEv2 DPD every 15 seconds. <Sysname> system-view [Sysname] ikev2 dpd interval 15 periodic Related commands dpd (IKEv2 profile view) ikev2 ipv6-address-group Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6 addresses to remote peers.
ikev2 keychain Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing IKEv2 keychain. Use undo ikev2 keychain to delete an IKEv2 keychain. Syntax ikev2 keychain keychain-name undo ikev2 keychain keychain-name Default No IKEv2 keychains exist.
mdc-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600. Usage guidelines This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the default IKEv2 policy, nor modify it. Examples # Create an IKEv2 policy named policy1 and enter IKEv2 policy view. <Sysname> system-view [Sysname] ikev2 policy policy1 [Sysname-ikev2-policy-policy1] Related commands...
Page 580
Use undo ikev2 proposal to delete an IKEv2 proposal. Syntax ikev2 proposal proposal-name undo ikev2 proposal proposal-name Default An IKEv2 proposal named default exists, which has the lowest priority and uses the following settings: • In non-FIPS mode: Encryption algorithm—AES-CBC-128 and 3DES. ...
Related commands encryption-algorithm integrity inside-vrf Use inside-vrf to specify an inside VPN instance. Use undo inside-vrf to restore the default. Syntax inside-vrf vrf-name undo inside-vrf Default No inside VPN instance is specified. The internal and external networks are in the same VPN instance.
Default No IKEv2 keychain is specified for an IKEv2 profile. Views IKEv2 profile view Predefined user roles network-admin mdc-admin Parameters keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-). Usage guidelines An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication.
Parameters address: Specifies a local interface or IP address to which an IKEv2 profile can be applied. interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
mdc-admin Parameters interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. Usage guidelines IKEv2 policies with this command configured are looked up before those that do not have this command configured.
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32. • address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching.
Default No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network. Views IKEv2 policy view Predefined user roles network-admin mdc-admin Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances.
Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances. Usage guidelines If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation.
# Set the NAT keepalive interval to 1200 seconds. [Sysname-ikev2-profile-profile1]nat-keepalive 1200 Related commands display ikev2 profile ikev2 nat-keepalive peer Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer. Use undo peer to delete an IKEv2 peer. Syntax peer name undo peer name...
pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to delete a pre-shared key. Syntax pre-shared-key [ local | remote ] { ciphertext | plaintext } string undo pre-shared-key [ local | remote ] Default No pre-shared key exists. Views IKEv2 peer view Predefined user roles...
# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-a and the key for certificate authentication is 111-key-b. [Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a [Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b • On the responder: # Create an IKEv2 keychain named telecom. <Sysname>...
Parameters aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm. md5: Uses the HMAC-MD5 algorithm. sha1: Uses the HMAC-SHA1 algorithm. sha256: Uses the HMAC-SHA256 algorithm. sha384: Uses the HMAC-SHA384 algorithm. sha512: Uses the HMAC-SHA512 algorithm. Usage guidelines You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
<Sysname> system-view [Sysname] ikev2 policy policy1 [Sysname-ikev2-policy-policy1] priority 10 Related commands display ikev2 policy priority (IKEv2 profile view) Use priority to set a priority for an IKEv2 profile. Use undo priority to restore the default. Syntax priority priority undo priority Default The priority of an IKEv2 profile is 100.
Views IKEv2 policy view Predefined user roles network-admin mdc-admin Parameters proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers' responses. If you do not specify this keyword, the device notifies the peers of the deletion and deletes IKEv2 SAs after it receives the peers' responses. Usage guidelines Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.
sa duration Use sa duration to set the IKEv2 SA lifetime. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKEv2 SA lifetime is 86400 seconds. Views IKEv2 profile view Predefined user roles network-admin mdc-admin Parameters...
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Field Description SSH authentication-timeout Authentication timeout timer. SSH server key generating interval Minimum interval for updating the RSA server key pair. SSH authentication retries Maximum number of authentication attempts for SSH users. SFTP server Whether the SFTP server is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer.
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If you do not specify an SSH user, this command displays information about all SSH users. Usage guidelines This command displays information only about SSH users that are configured by using the ssh user command on the SSH server.
Syntax free ssh { user-ip { ip-address | ipv6 ipv6-address } [ port port-number ] | user-pid pid-number | username username } Views User view Predefined user roles network-admin mdc-admin Parameters user-ip: Specifies the user IP address of the SSH sessions to be disconnected. ip-address: Specifies the user IPv4 address of the SSH sessions to be disconnected.
Default The SCP server is disabled. Views System view Predefined user roles network-admin mdc-admin Examples # Enable the SCP server. <Sysname> system-view [Sysname] scp server enable Related commands display ssh server sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to disable the SFTP server.
undo sftp server idle-timeout Default The idle timeout timer is 10 minutes for SFTP connections. Views System view Predefined user roles network-admin mdc-admin Parameters time-out-value: Specifies an idle timeout timer in the range of 1 to 35791 minutes. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
Usage guidelines The ACL specified in this command filters IPv4 SSH clients' connection requests. Only the IPv4 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv4 SSH clients can access the device. The ACL takes effect only on SSH connections that are initiated after the ACL configuration.
Related commands ssh server acl ssh server ipv6 acl ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries retries undo ssh server authentication-retries Default The maximum number of authentication attempts is 3 for SSH users.
ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. Use undo ssh server authentication-timeout to restore the default. Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The SSH user authentication timeout timer is 60 seconds. Views System view Predefined user roles...
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command is not available in FIPS mode. The undo form of this command restores the default setting whether you specify the enable keyword or not. This configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
[Sysname] ssh server dscp 30 ssh server enable Use ssh server enable to enable the Stelnet server. Use undo ssh server enable to disable the Stelnet server. Syntax ssh server enable undo ssh server enable Default The Stelnet server is disabled. Views System view Predefined user roles...
mac mac-acl-number: Specifies a Layer 2 ACL by its number in the range of 4000 to 4999. Usage guidelines The ACL specified in this command filters IPv6 SSH clients' connection requests. Only the IPv6 SSH clients that the ACL permits can access the device. If the specified ACL does not exist or contains no rules, all IPv6 SSH clients can access the device.
ssh server pki-domain Use ssh server pki-domain to specify a PKI domain for an SSH server. Use undo ssh server pki-domain to restore the default. Syntax ssh server pki-domain domain-name undo ssh server pki-domain Default No PKI domain is specified for an SSH server. Views System view Predefined user roles...
Views System view Predefined user roles network-admin mdc-admin Parameters port-number: Specifies a port number in the range of 1 to 65535. Usage guidelines If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification.
The system starts to count down the configured minimum update interval after the first SSH1 user logs in to the server. If a new SSH1 user logs in to the server after the interval, the system performs the following operations: Updates the RSA server key pair.
Page 612
• scp: Specifies the service type SCP. • sftp: Specifies the service type SFTP. • stelnet: Specifies the service type Stelnet. • netconf: Specifies the service type NETCONF. authentication-type: Specifies an authentication method for the SSH user. • password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable.
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user. For an SFTP or SCP user, the working directory depends on the authentication method. • If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view.
Predefined user roles network-admin network-operator mdc-admin mdc-operator Usage guidelines This command has the same function as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working directory on the SFTP server. Syntax cd [ remote-path ] Views...
Predefined user roles network-admin mdc-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp> pwd Remote working directory: / sftp>...
Predefined user roles network-admin mdc-admin Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be deleted. If you do not specify a server IP address, this command deletes the public keys of all servers from the client's public key file.
-rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx 301 Dec 18 14:12 012.pub # Display detailed information about the files and subdirectories under the current directory, excluding the files and subdirectories with names starting with dots (.). sftp>...
Page 618
mdc-operator Parameters server-ip ip-address: Specifies the IP address of the server whose public key information will be displayed. If you do not specify a server IP address, this command displays the public keys of all servers saved in the client's public key file. Usage guidelines When a user connects to an unauthenticated server and selects to save the server's public key, the server public key will be saved to the public key file.
Field Description Type of the public key: • dsa—DSA public key. • ecdsa-sha2-nistp256—256-bit ECDSA public key created by using Key type the secp256r1 curve. • ecdsa-sha2-nistp384—384-bit ECDSA public key created by using the secp384r1 curve. • rsa—RSA public key. Key length Length of the public key, in bits.
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and quit commands. Examples # Terminate the SFTP connection. sftp> exit <Sysname> Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view...
Page 621
Usage guidelines This command has the same function as entering the question mark (?). Examples # Display help information on the SFTP client. sftp> help Available commands: Quit sftp cd [path] Change remote directory to 'path' cdup Change remote directory to the parent directory delete path Delete remote file dir [-a|-l][path]...
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays information about the files and subdirectories under the current working directory. Usage guidelines If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
Views SFTP client view Predefined user roles network-admin mdc-admin Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file. Examples # Upload the local file startup.bak to the SFTP server and save it as startup01.bak.
mdc-admin mdc-operator Usage guidelines This command has the same function as the bye and exit commands. Examples # Terminate the SFTP connection. sftp> quit <Sysname> remove Use remove to delete a file from the SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin...
Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp> dir aa.pub temp1.c sftp> rename temp1.c temp2.c sftp> dir aa.pub temp2.c rmdir Use rmdir to delete a directory from the SFTP server. Syntax rmdir remote-path Views SFTP client view...
user username: Specifies an SCP username, a case-sensitive string of 1 to 80 characters. If the username contains an ISP domain name, use the pureusername@domain format. The pureusername argument is a string of 1 to 55 characters. The domain argument is a string of 1 to 24 characters.
Page 630
public key algorithm is used, you must specify this option for the client to get the correct local certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib.
• interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets. • ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines Table 81 Suite B algorithms Security Key exchange Encryption algorithm...
Page 634
source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters. destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |...
Page 636
• x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256. • x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384. • pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword). dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48.
Default The source IPv6 address for SFTP packets is not configured. The SFTP client automatically selects an IPv6 address for SFTP packets in compliance with RFC 3484. Views System view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the longest-matching IPv6 address of the specified interface as their source address.
Parameters interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the primary IPv4 address of the interface as their source address. ip ip-address: Specifies a source IPv4 address. Usage guidelines This command takes effect on all SFTP connections. The source IPv4 address specified in the sftp command takes effect only on the current SFTP connection.
Page 640
mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
Page 641
• md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. • sha2-256: Specifies the HMAC algorithm hmac-sha2-256. • sha2-512: Specifies the HMAC algorithm hmac-sha2-512. prefer-kex: Specifies the preferred key exchange algorithm.
server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate. prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets.
Page 644
Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Examples # Use the 128-bit Suite B algorithms to establish a connection to SFTP server 10.1.1.2. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. <Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username ssh client ipv6 source Use ssh client ipv6 source to configure the source IPv6 address for SSH packets that are sent by...
ssh client source Use ssh client source to configure the source IPv4 address for SSH packets that are sent by the Stelnet client. Use undo ssh client source to restore the default. Syntax ssh client source { interface interface-type interface-number | ip ip-address } undo ssh client source Default The source IPv4 address for SSH packets is not configured.
Page 648
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time. • 3des-cbc: Specifies the encryption algorithm 3des-cbc. •...
characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). source: Specifies a source IPv4 address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SSH packets.
Page 651
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128-ctr. Supported algorithms are des-cbc, 3des-cbc, aes128-cbc, aes128-ctr, aes128-gcm, aes192-ctr, aes256-cbc, aes256-ctr, and aes256-gcm, in ascending order of security strength and computation time.
public-key keyname: Specifies the server by its host public key that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters.
Page 653
domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view Predefined user roles network-admin mdc-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
Usage guidelines Table 85 Suite B algorithms Security Key exchange Encryption algorithm Public key algorithm level algorithm and HMAC algorithm x509v3-ecdsa-sha2-nistp256 128-bit ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp384 192-bit ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 ecdh-sha2-nistp256 aes128-gcm x509v3-ecdsa-sha2-nistp256 Both ecdh-sha2-nistp384 aes256-gcm x509v3-ecdsa-sha2-nistp384 The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
Page 655
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 128-bit: Specifies the 128-bit Suite B security level. 192-bit: Specifies the 192-bit Suite B security level.
Examples # Use the 128-bit Suite B algorithms to establish a connection to Stelnet server 3.3.3.3. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively. <Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain Username SSH2 commands display ssh2 algorithm...
<Sysname> system-view [Sysname] ssh2 algorithm key-exchange dh-group1-sha1 Related commands display ssh2 algorithm ssh2 algorithm cipher ssh2 algorithm mac ssh2 algorithm public-key ssh2 algorithm mac Use ssh2 algorithm mac to specify MAC algorithms for SSH2. Use undo ssh2 algorithm mac to restore the default. Syntax In non-FIPS mode: ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *...
SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Page 663
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256. ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
• Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA. After the SSL server receives a cipher suite from a client, the server matches the received cipher suite against the cipher suits it supports.
Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication. • If an SSL client submits its certificate to the SSL server, the server authenticates the client identity. The client must pass authentication to access the server. •...
Examples # Display cryptographic library version information. <Sysname> display crypto version 7.1.1.1.1.57 Table 88 Command output Field Description Cryptographic library version information, in the 7.1.X format: • 7.1.1.1.1.57 The 7.1 segment represents Comware 700R001. • The X segment represents the cryptographic library version. display ssl client-policy Use display ssl client-policy to display SSL client policy information.
display ssl server-policy Use display ssl server-policy to display SSL server policy information. Syntax display ssl server-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.
Default No PKI domain is specified for an SSL client policy. Views SSL client policy view Predefined user roles network-admin mdc-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
Examples # Specify PKI domain server-domain for SSL server policy policy1. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] pki-domain server-domain Related commands display ssl server-policy pki domain prefer-cipher Use prefer-cipher to specify a preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default.
Page 670
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256. dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
• Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key. • Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity.
Examples # Enable the SSL client to use digital certificates to authenticate the SSL server. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] server-verify enable Related commands display ssl client-policy session Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for cached sessions.
ssl client-policy Use ssl client-policy to create an SSL client policy and enter its view, or enter the view of an existing SSL client policy. Use undo ssl client-policy to delete an SSL client policy. Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policies exist.
Predefined user roles network-admin mdc-admin Usage guidelines The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake. Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks.
ssl version disable Use ssl version disable to disable the SSL server from using specific SSL protocol versions for session negotiation. Use undo ssl version disable restore the default. Syntax In non-FIPS mode: ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable In FIPS mode: ssl version { tls1.0 | tls1.1 } * disable...
Page 676
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } undo version In FIPS mode: version { tls1.0 | tls1.1 | tls1.2 } undo version Default An SSL client policy uses SSL protocol version TLS 1.0. Views SSL client policy view Predefined user roles network-admin mdc-admin...
Attack detection and prevention commands ack-flood action Use ack-flood action to specify global actions against ACK flood attacks. Use undo ack-flood action to restore the default. Syntax ack-flood action { drop | logging } * undo ack-flood action Default No global action is specified for ACK flood attacks. Views Attack defense policy view Predefined user roles...
Default IP address-specific ACK flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Syntax ack-flood detect non-specific undo ack-flood detect non-specific Default Global ACK flood attack detection is disabled. Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command.
Usage guidelines With global ACK flood attack detection configured, the device is in attack detection state. When the sending rate of ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Each device can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect. Examples # Apply attack defense policy atk-policy-1 to the device. <Sysname> system-view [Sysname] attack-defense local apply policy atk-policy-1 Related commands attack-defense policy display attack-defense policy...
undo attack-defense login enable Default Login attack prevention is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period. For login attack prevention to take effect, you must enable the global blacklist feature.
The login failure counter for a user is reset after the user logs in successfully. If the device reboots, all login failure counters are reset. Examples # Set the maximum number of successive login failures to five. <Sysname> system-view [Sysname] attack-defense login max-attempt 5 Related commands attack-defense login enable attack-defense login reauthentication-delay...
undo attack-defense policy policy-name Default No attack defense policies exist. Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
• Source and destination IP addresses. • VPN instance to which the victim IP address belongs. As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. Examples # Enable log non-aggregation for single-packet attack events. <Sysname>...
Syntax blacklist global enable undo blacklist global enable Default The global blacklist feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines If you enable the global blacklist feature, the blacklist feature is enabled on all interfaces. Examples # Enable the global blacklist feature.
timeout minutes: Specifies the aging time in minutes for the blacklist entry, in the range of 1 to 1000. If you do not specify this option, the blacklist entry never ages out. You must delete it manually. Usage guidelines The undo blacklist ip command deletes only manually added IPv4 blacklist entries. To delete dynamically added IPv4 blacklist entries, use the reset blacklist ip command.
A blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot. You can use the display blacklist ipv6 command to display all effective IPv6 blacklist entries that are manually added. Examples # Add a blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.
# Add 192.168.1.2 to the blacklist. A log is output for the adding event. [Sysname] blacklist ip 192.168.100.12 %Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration. # Delete 192.168.1.2 from the blacklist. A log is output for the deletion event. [Sysname] undo blacklist ip 192.168.100.12 %Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12;...
device. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (In IRF mode.) count: Displays the number of matching protected IPv4 addresses. Usage guidelines The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Examples # (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics. <Sysname> display attack-defense flood statistics ipv6 Slot 1: IPv6 address Detected on Detect type State Dropped 1::4 Local ACK-FLOOD Normal 1000 111111111 1::5 Local SYN-FLOOD Normal 1000 22222222 Slot 2:...
Page 694
mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.
Page 695
UDP Snork Disabled Info UDP Fraggle Enabled Info IP option record route Disabled Info IP option internet timestamp Enabled Info IP option security Disabled Info IP option loose source routing Enabled Info IP option stream ID Disabled Info IP option strict source routing Disabled Info IP option route alert...
Page 696
HTTP flood 10000 80,8080 Enabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 1::1 FIN-FLOOD 192.168.1.1 SYN-ACK-FLOOD 10 1::1 FIN-FLOOD 2013:2013:2013:2013: DNS-FLOOD L,CV 2013:2013:2013:2013 Table 93 Command output Field Description Policy name Name of the attack defense policy. Locations to which the attack defense policy is applied: Local (Local Applied list indicates that the policy is applied to the device).
Field Description Global prevention actions against the flood attack: • D—Dropping packets. Global actions • L—Logging. • -—Not configured. Ports that are protected against the flood attack. This field displays port Service ports numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).
Slot 1: IP address VPN instance Type Rate threshold(PPS) Dropped 123.123.123.123 -- SYN-ACK-FLOOD 100 4294967295 201.55.7.45 ICMP-FLOOD 192.168.11.5 DNS-FLOOD Slot 2: IP address VPN instance Type Rate threshold(PPS) Dropped # (In standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.
Page 700
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ack-flood: Specifies ACK flood attack.
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device.
Page 703
Syntax In standalone mode: display attack-defense scan attacker ipv6 [ [ local ] [ slot slot-number ] ] [ count ] In IRF mode: display attack-defense scan attacker ipv6 [ [ local ] [ chassis chassis-number slot slot-number ] ] [ count ] Views Any view...
Table 98 Command output Field Description Totally 1 attackers Total number of IPv6 scanning attackers. IPv6 address IPv6 address of the attacker. MPLS L3VPN instance to which the attacker IPv6 address belongs. If the VPN instance attacker IPv6 address is on the public network, this field displays hyphens (--).
Usage guidelines If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims. Examples # (In standalone mode.) Display information about all IPv4 scanning attack victims. <Sysname> display attack-defense scan victim ip Slot 1: IP address VPN instance Detected on...
Page 706
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters local: Specifies the device. slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device. If you do not specify a card, this command displays information about IPv6 scanning attack victims for all cards.
Related commands display attack-defense scan attacker ipv6 scan detect display attack-defense statistics local Use display attack-defense statistics local to display attack detection and prevention statistics for the device. Syntax In standalone mode: display attack-defense statistics local [ slot slot-number ] In IRF mode: display attack-defense statistics local [ chassis chassis-number slot slot-number ] Views...
Page 708
UDP flood ICMP flood ICMPv6 flood DNS flood HTTP flood Signature attack defense statistics: AttackType AttackTimes Dropped IP option record route IP option security IP option stream ID IP option internet timestamp IP option loose source routing IP option strict source routing IP option route alert Fragment Impossible...
Page 709
ICMPv6 echo reply ICMPv6 group membership query ICMPv6 group membership report ICMPv6 group membership reduction ICMPv6 destination unreachable ICMPv6 time exceeded ICMPv6 parameter problem ICMPv6 packet too big Slot 2: Scan attack defense statistics: AttackType AttackTimes Dropped Port scan IP sweep Distribute port scan Flood attack defense statistics: AttackType...
TCP invalid flag TCP Land Winnuke UDP Bomb Snork Fraggle Large ICMPv6 ICMP echo request ICMP echo reply ICMP source quench ICMP destination unreachable ICMP redirect ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply...
Page 711
Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
Related commands blacklist ipv6 display blacklist user Use display blacklist user to display user blacklist entries. Syntax display blacklist user [ user-name ] [ count ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. If you do not specify a user, this command displays all user blacklist entries.
Related commands blacklist global enable blacklist user dns-flood action Use dns-flood action to specify global actions against DNS flood attacks. Use undo dns-flood action to restore the default. Syntax dns-flood action { drop | logging } * undo dns-flood action Default No global action is specified for DNS flood attacks.
Page 715
Default IP address-specific DNS flood attack detection is not configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
dns-flood detect non-specific Use dns-flood detect non-specific to enable global DNS flood attack detection. Use undo dns-flood detect non-specific to disable global DNS flood attack detection. Syntax dns-flood detect non-specific undo dns-flood detect non-specific Default Global DNS flood attack detection is disabled. Views Attack defense policy view Predefined user roles...
mdc-admin Parameters port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. Usage guidelines The device detects only DNS packets destined for the specified ports.
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios. If the number of DNS packets sent to a protected DNS server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
• Destination IP address. • Source port. • Destination port. • Protocol. • L3VPN instance. • The fragment keyword for matching non-first fragments. If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.
Syntax fin-flood threshold threshold-value undo fin-flood threshold Default The global threshold is 1000 for triggering FIN flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second.
Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters drop: Drops subsequent HTTP packets destined for the victim IP addresses. logging: Enables logging for HTTP flood attack events. Examples # Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1. <Sysname>...
port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
mdc-admin Usage guidelines The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command. Examples # Enable global HTTP flood attack detection in attack defense policy atk-policy-1.
Related commands http-flood action http-flood detect http-flood detect non-specific http-flood threshold Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention. Use undo http-flood threshold to restore the default. Syntax http-flood threshold threshold-value undo http-flood threshold Default The global threshold is 1000 for triggering HTTP flood attack prevention.
icmp-flood action Use icmp-flood action to specify global actions against ICMP flood attacks. Use undo icmp-flood action to restore the default. Syntax icmp-flood action { drop | logging } * undo icmp-flood action Default No global action is specified for ICMP flood attacks. Views Attack defense policy view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.
The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Default The global threshold is 1000 for triggering ICMPv6 flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second. Usage guidelines With global ICMPv6 flood attack detection configured, the device is in attack detection state.
Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). ip: Specifies protected IPv4 addresses. ipv6: Specifies protected IPv6 addresses.
Predefined user roles network-admin mdc-admin Parameters source-ip-address: Specifies the IPv4 address for a blacklist entry. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
reset blacklist statistics Use reset blacklist statistics to clear blacklist statistics. Syntax reset blacklist statistics Views User view Predefined user roles network-admin mdc-admin Usage guidelines This command resets the counter for dropped packets for all blacklist entries. Examples # Clear blacklist statistics. <Sysname>...
Use undo rst-flood threshold to restore the default. Syntax rst-flood threshold threshold-value undo rst-flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of RST packets sent to an IP address per second.
Page 740
Default No scanning attack detection is configured. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters level: Specifies the level of the scanning attack detection. low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected.
blacklist global enable signature { large-icmp | large-icmpv6 } max-length Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.
Page 743
• redirect: Specifies the ICMP redirect type. • source-quench: Specifies the ICMP source quench type. • time-exceeded: Specifies the ICMP time exceeded type. • timestamp-reply: Specifies the ICMP timestamp reply type. • timestamp-request: Specifies the ICMP timestamp request type. icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword: •...
teardrop: Specifies the teardrop attack. tiny-fragment: Specifies the tiny fragment attack. traceroute: Specifies the traceroute attack. udp-bomb: Specifies the UDP bomb attack. winnuke: Specifies the WinNuke attack. action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Parameters high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level. info: Specifies the informational level. For example, large ICMP packet attack is on this level. low: Specifies the low level. For example, the traceroute attack is on this level. medium: Specifies the medium level.
Examples # Specify drop as the global action against SYN-ACK flood attacks in attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop Related commands syn-ack-flood detect syn-ack-flood detect non-specific syn-ack-flood threshold syn-ack-flood detect Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection. Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.
Usage guidelines With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Related commands syn-ack-flood action syn-ack-flood detect syn-ack-flood threshold syn-ack-flood threshold Use syn-ack-flood threshold to set the global threshold for triggering SYN-ACK flood attack prevention. Use undo syn-ack-flood threshold to restore the default. Syntax syn-ack-flood threshold threshold-value undo syn-ack-flood threshold Default The global threshold is 1000 for triggering SYN-ACK flood attack prevention.
syn-flood action Use syn-flood action to specify global actions against SYN flood attacks. Use undo syn-flood action to restore the default. Syntax syn-flood action { drop | logging } * undo syn-flood action Default No global action is specified for SYN flood attacks. Views Attack defense policy view Predefined user roles...
Predefined user roles network-admin mdc-admin Parameters ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s. ipv6 ipv6-address: Specifies the IPv6 address to be protected. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs.
Views Attack defense policy view Predefined user roles network-admin mdc-admin Usage guidelines The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
The global threshold applies to global SYN flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services.
Related commands udp-flood action udp-flood detect non-specific udp-flood threshold udp-flood detect non-specific Use udp-flood detect non-specific to enable global UDP flood attack detection. Use undo udp-flood detect non-specific to disable global UDP flood attack detection. Syntax udp-flood detect non-specific undo udp-flood detect non-specific Default Global UDP flood attack detection is disabled.
Page 756
Default The global threshold is 1000 for triggering UDP flood attack prevention. Views Attack defense policy view Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of UDP packets sent to an IP address per second. Usage guidelines With global UDP flood attack detection configured, the device is in attack detection state.
Views System Predefined user roles network-admin mdc-admin Parameter interval: Specifies the check interval in the range of 1 to 60 seconds. Usage guidelines This command takes effect after you enable Naptha attack prevention. After you enable Naptha attack prevention, the device checks the number of TCP connections in each state at intervals.
Page 759
connection-limit number: Specifies the maximum number of TCP connections, in the range of 0 to 500. The value of 0 represents that the device does not accelerate the aging of the TCP connections in a state. Usage guidelines This command takes effect after you enable Naptha attack prevention. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in the state.
argument represents the slot number of the card. If you do not specify a card, this command displays IPv4SG bindings for the global active MPU. (In IRF mode.) Examples # Display all IPSG bindings on the public network. <Sysname> display ip source binding Total entries found: 5 IP Address MAC Address...
Page 762
display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ slot slot-number ] In IRF mode: display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles network-admin...
Field Description End VLAN ID of the VLAN range that has been configured to be End VLAN ID excluded from IPSG filtering. Whether the excluded VLAN configuration takes effect: • Active—The configuration takes effect. Status • Inactive—The configuration does not take effect. Related commands ip verify source exclude display ipv6 source binding...
interface interface-type interface-number: Specifies an interface by its type and number. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6SG address bindings for the active MPU. (In standalone mode.) chassis chassis-number slot slot-number: Specifies a card on an IRF member device.
Table 108 Command output Field Description Total entries found Total number of IPv6SG prefix bindings. IPv6 prefix IPv6 prefix and prefix length in the IPv6SG prefix binding. MAC address in the IPv6SG prefix binding. MAC address This field displays N/A if the MAC address is invalid. Interface to which the IPv6SG prefix binding belongs.
Usage guidelines Static IPv4SG bindings on an interface implement the following functions: • Filter incoming IPv4 packets on the interface. • Check user validity by cooperating with the ARP attack detection feature. You cannot configure static IPv4SG bindings on a service loopback interface. Examples # Configure a static IPv4SG binding on Ten-GigabitEthernet 1/0/1.
Related commands display ip source binding ip source binding (interface view) ip verify source Use ip verify source to enable IPv4SG on an interface. Use undo ip verify source to disable IPv4SG on an interface. Syntax ip verify source { ip-address | ip-address mac-address | mac-address } undo ip verify source Default The IPv4SG feature is disabled on an interface.
# Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/2 [Sysname-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source MAC address for dynamic IPSG.
ipv6 source binding (system view) Use ipv6 source binding to configure a global static IPv6SG binding. Use undo ipv6 source binding to delete one or all global static IPv6SG bindings. Syntax ipv6 source binding ip-address ipv6-address mac-address mac-address undo ipv6 source binding { all | ip-address ipv6-address mac-address mac-address } Default No global static IPv6SG bindings exist.
Page 772
Views Layer 2 Ethernet interface view Layer 3 Ethernet interface view VLAN interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Filters incoming packets by source IPv6 addresses. ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
Views System view Predefined user roles network-admin mdc-admin Parameters count: Sets the number of probes, in the range of 1 to 25. Examples # Configure the device to perform five ARP blackhole route probes for each unresolved IP address. <Sysname> system-view [Sysname] arp resolving-route probe-count 5 Related commands arp resolving-route enable...
arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression feature. Use undo arp source-suppression enable to disable the ARP source suppression feature. Syntax arp source-suppression enable undo arp source-suppression enable Default The ARP source suppression feature is disabled. Views System view Predefined user roles...
Usage guidelines If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse. Examples # Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide. Examples # Enable logging for ARP packet rate limit. <Sysname> system-view [Sysname] arp rate-limit log enable arp rate-limit log interval Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.
Syntax snmp-agent trap enable arp [ rate-limit ] undo snmp-agent trap enable arp [ rate-limit ] Default SNMP notifications for ARP is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters rate-limit: Specifies the ARP packet rate limit feature. Usage guidelines After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.
Parameters filter: Specifies the filter handling method. monitor: Specifies the monitor handling method. Usage guidelines Configure this feature on the gateways. This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address.
arp source-mac exclude-mac Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection. Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection. Syntax arp source-mac exclude-mac mac-address&<1-64> undo arp source-mac exclude-mac [ mac-address&<1-64>...
Predefined user roles network-admin mdc-admin Parameters threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000. Examples # Set the threshold for source MAC-based ARP attack detection to 30. <Sysname> system-view [Sysname] arp source-mac threshold 30 display arp source-mac Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP...
Table 110 Command output Field Description Source-MAC Source MAC address of the attack. VLAN ID ID of the VLAN in which the attack was detected. Interface Interface on which the attack was detected. Aging-time Aging time for the ARP attack entry, in minutes. ARP packet source MAC consistency check commands arp valid-check enable...
Syntax arp active-ack [ strict ] enable undo arp active-ack [ strict ] enable Default The ARP active acknowledgement feature is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters strict: Enables strict mode for ARP active acknowledgement. Usage guidelines Configure this feature on gateways to prevent user spoofing.
[Sysname-vlan2] arp detection enable Related commands arp detection enable arp detection trust Use arp detection trust to configure an interface as an ARP trusted interface or configure an AC as an ARP trusted AC. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust...
Views System view Predefined user roles network-admin mdc-admin Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
[Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs and VSIs that are enabled with ARP attack detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the VLANs and VSIs that are enabled with ARP attack detection. <Sysname>...
Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID. If you do not specify an Ethernet service instance, this command displays ARP attack detection statistics for all Ethernet service instances on the specified interface.
Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ARP attack detection statistics for all interfaces and all Ethernet service instances on the interfaces. service-instance instance-id: Specifies an Ethernet service instance by its ID.
To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command. Examples # Convert existing dynamic ARP entries to static ARP entries. <Sysname>...
[Sysname-Vlan-interface2] arp scan # Configure the device to scan neighbors in an address range. <Sysname> system-view [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20 ARP gateway protection commands arp filter source Use arp filter source to enable ARP gateway protection for a gateway. Use undo arp filter source to disable ARP gateway protection for a gateway.
Syntax arp filter binding ip-address mac-address undo arp filter binding ip-address Default ARP filtering is disabled. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin mdc-admin Parameters ip-address: Specifies a permitted sender IP address. mac-address: Specifies a permitted sender MAC address.
Page 796
Views VLAN view Predefined user roles network-admin mdc-admin Parameters start-ip-address: Specifies the start IP address. end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address. Usage guidelines The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range.
Views System view Predefined user roles network-admin mdc-admin Usage guidelines Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Table 112 Command output Field Description Interface Input interface of the ND messages. Packets dropped Number of ND messages dropped by ND attack detection. ipv6 nd detection enable Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.
Parameters policy-name: Specifies an RA guard policy by its name. The policy name is a case-sensitive string of 1 to 31 characters. If you do not specify a policy, this command displays the configuration of all RA guard policies. Examples # Display the configuration of all RA guard policies.
Syntax display ipv6 nd raguard statistics [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays RA guard statistics for all interfaces. Examples # Display RA guard statistics.
Predefined user roles network-admin mdc-admin Parameters ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. name ipv6-acl-name: Specifies an IPv6 basic ACL by its name, a case-insensitive string of 1 to 63 characters. The name must start with an English letter. To avoid confusion, the name cannot be all. Usage guidelines RA guard uses the ACL match criterion to match the IP address of the RA message sender.
Examples # Specify on as the M flag match criterion for the RA guard policy policy1. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match autoconfig managed-address-flag on if-match autoconfig other-flag Use if-match autoconfig other-flag to specify an O flag match criterion. Use undo if-match autoconfig other-flag to delete the O flag match criterion.
Default No maximum or minimum hop limit match criterion exists. Views RA guard policy view Predefined user roles network-admin mdc-admin Parameters maximum: Specifies the maximum advertised hop limit. An RA message passes the check if its current hop limit is not higher than the maximum advertised hop limit. minimum: Specifies the minimum advertised hop limit.
Usage guidelines An RA message passes the check if the advertised prefixes in the message match the prefixes set by the ACL. If the specified ACL does not exist or does not contain a rule, the prefix match criterion does not take effect.
Examples # Specify medium as the router preference match criterion for the RA guard policy policy1. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] if-match router-preference maximum medium ipv6 nd raguard apply policy Use ipv6 nd raguard apply policy to apply an RA guard policy to a VLAN. Use undo ipv6 nd raguard apply policy to remove the RA guard policy from a VLAN.
undo ipv6 nd raguard log enable Default The RA guard logging feature is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command allows a device to generate logs when it detects forged RA messages. The log information helps administrators locate and solve problems.
Parameters policy-name: Assigns a name to the RA guard policy. The name is a case-sensitive string of 1 to 31 characters. Examples # Create RA guard policy policy1 and enter its view. <Sysname> system-view [Sysname] ipv6 nd raguard policy policy1 [Sysname-raguard-policy-policy1] Related commands display ipv6 nd raguard policy...
reset ipv6 nd raguard statistics Use reset ipv6 nd raguard statistics to clear RA guard statistics. Syntax reset ipv6 nd raguard statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears RA guard statistics for all interfaces.
IPv4 uRPF commands display ip urpf Use display ip urpf to display uRPF configuration. Syntax In standalone mode: display ip urpf slot slot-number In IRF mode: display ip urpf chassis chassis-number slot slot-number Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator...
Page 812
Use undo ip urpf to disable uRPF. Syntax ip urpf loose allow-default-route strict allow-default-route undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
IPv6 uRPF commands display ipv6 urpf Use display ipv6 urpf to display IPv6 uRPF configuration. Syntax In standalone mode: display ipv6 urpf slot slot-number In IRF mode: display ipv6 urpf chassis chassis-number slot slot-number Views Any view Predefined user roles network-admin network-operator mdc-admin...
Page 814
Use undo ipv6 urpf to disable IPv6 uRPF. Syntax ipv6 urpf loose strict allow-default-route undo ipv6 urpf Default IPv6 uRPF is disabled. Views System view Predefined user roles network-admin mdc-admin Parameters loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
mdc-admin Parameters default-gateway gateway-ip: Specifies the IP address of the default gateway. Usage guidelines For MFF to take effect, make sure ARP snooping is enabled on the device. For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured.
mac-forced-forwarding network-port Use mac-forced-forwarding network-port to configure the Ethernet port as a network port. Use undo mac-forced-forwarding network-port to restore the default. Syntax mac-forced-forwarding network-port undo mac-forced-forwarding network-port Default The Ethernet port is a user port. Views Layer 2 Ethernet interface view Layer 2 aggregate interface view Predefined user roles network-admin...
Page 819
undo mac-forced-forwarding server server-ip&<1-10> Default No server IP address is specified. Views VLAN view Predefined user roles network-admin mdc-admin Parameters server-ip&<1-10>: Specifies a space-separated list of up to 10 server IP addresses. Usage guidelines You need to maintain a server list on the MFF device to ensure communication between the servers and clients.
FIPS commands display fips status Use display fips status to display the FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Examples # Display the FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 821
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically performs the following tasks: a. Create a default FIPS configuration file named fips-startup.cfg. b.
Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters): root Enter password(15-63 characters): Confirm password: Waiting for reboot...
Page 823
Examples # Trigger a self-test on the cryptographic algorithms. <Sysname> system-view [Sysname] fips self-test Cryptographic Algorithms Known-Answer Tests are running ... CPU 0 of slot 0 in chassis 0: Starting Known-Answer tests in the user space. Known-answer test for SHA1 passed. Known-answer test for SHA224 passed.
Page 824
Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user space passed. Starting Known-Answer tests in the kernel. Known-answer test for AES passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for SHA1 passed. Known-answer test for GCM passed.
MACsec commands confidentiality-offset Use confidentiality-offset to set the MACsec confidentiality offset in an MKA policy. Use undo confidentiality-offset to restore the default. Syntax confidentiality-offset offset-value undo confidentiality-offset Default The MACsec confidentiality offset is 0. The entire frame is encrypted. Views MKA policy view Predefined user roles network-admin...
Page 826
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays MACsec information on all ports. verbose: Displays detailed MACsec information. If you do not specify this keyword, the command displays brief MACsec information.
Page 827
Table 119 Command output Field Description Status of MACsec desire on the port: • Yes. Protect frames • If the port does not have an MKA principal actor, this field displays N/A. MKA policy applied to the port. This field displays N/A if the port is not enabled with MACsec desire. Active MKA policy This field is not available if the port is enabled with MACsec desire but is not applied an MKA policy.
Field Description Packet number for outbound traffic. SA number. The minimum received packet number allowed by SAK. Related commands mka apply policy display mka policy Use display mka policy to display MKA policy information. Syntax display mka { default-policy | policy [ name policy-name ] } Views Any view Predefined user roles...
Field Description ConfOffset Confidentiality offset in bytes. Validation mode: • Check. Validation • Strict. Related commands mka policy mka apply policy display mka session Use display mka session to display MKA session information. Syntax display mka session [ interface interface-type interface-number | local-sci sci-id ] [ verbose ] Views Any view Predefined user roles...
Page 830
# Display detailed MKA session information on GigabitEthernet 1/0/1. <Sysname> display mka session interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Tx-SCI : 000C29F6A4380004 Priority Capability: 3 CKN for participant: ABCD Key server : Yes MI (MN) : D7B00EDA353242704CC6B0DB (7) Live peers Potential peers Principal actor : Yes...
Page 831
Field Description Whether the MKA instance is the principal actor. MKA instance refers to the operation entity of the MKA protocol on a port. A Principal actor port might have multiple MKA instances. The principal actor is the MKA instance in active state. MKA session status: •...
Field Description Key identifier of the previous SAK, a string of hexadecimal digits that contains the key server's 12-byte MI and KN. This field displays N/A in the following situations: Previous SAK KI • The MKA instance is not the principal actor. •...
Table 122 Command output Field Description MKPDUs with invalid CKN Number of received MKA packets with invalid CKNs. MKPDUs with invalid ICV Number of MKA packets that failed ICV check. MKPDUs with Rx error Number of received error MKA packets. CKN for participant CAK name of the MKA instance.
Use undo macsec mka-session log enable to disable MKA session logging. Syntax macsec mka-session log enable undo macsec mka-session log enable Default MKA session logging is disabled. Views System view Predefined user roles network-admin mdc-admin Usage guidelines This command enables the device to generate logs for MKA session changes, such as peer aging and SAK updates.
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the MACsec replay protection configuration in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except MACsec replay protection) of the MKA policy are effective on the port.
If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the replay protection window size in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the replay protection window size) of the MKA policy are effective on the port.
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] macsec validation mode strict Related commands display macsec mka apply policy validation mode mka apply policy Use mka apply policy to apply an MKA policy to a port. Use undo mka apply policy to remove the MKA policy from a port. Syntax mka apply policy policy-name undo mka apply policy...
display mka policy replay-protection enable replay-protection window-size validation mode mka enable Use mka enable to enable MKA on a port. Use undo mka enable to disable MKA on a port. Syntax mka enable undo mka enable Default MKA is disabled on a port. Views Ethernet interface view Predefined user roles...
Views System view Predefined user roles network-admin mdc-admin Parameters policy-name: Specifies the name of an MKA policy, a case-sensitive string of 1 to 16 characters. Usage guidelines MKA policy provides a centralized method for configuring MACsec confidentiality offset, validation mode, replay protection, and replay protection window size. The system supports multiple MKA policies.
Parameters priority-value: Specifies the priority value, in the range of 0 to 255. The priority is inversely related to its value. Usage guidelines If you use 802.1 X-generated CAK, the access device port automatically becomes the key server. If you use a preshared key as the CAK, the port that has higher priority (lower priority value) becomes the key server.
Usage guidelines The CAK can be either generated during 802.1X or manually configured at the CLI. The manually configured CAK takes precedence over the 802.1X-generated key. When 802.1X is not enabled on MACsec ports, you can execute this command to configure a preshared key on each MACsec port.
Related commands macsec replay-protection window-size macsec replay-protection enable mka apply policy reset mka session Use reset mka session to reset MKA sessions on ports. Syntax reset mka session [ interface interface-type interface-number ] Views User view Predefined user roles network-admin mdc-admin Parameters interface interface-type interface-number: Specifies a port by its type and number.
Examples # Clear MKA statistics on GigabitEthernet 1/0/1. <Sysname> reset mka statistics interface gigabitethernet 1/0/1 Related commands display mka statistics validation mode Use validation mode to set a MACsec validation mode in an MKA policy. Use undo validation mode to restore the default. Syntax validation mode { check | strict } undo validation mode...
802.1X client commands display dot1x supplicant Use display dot1x supplicant to display 802.1X client authentication information. Syntax display dot1x supplicant [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays 802.1X client authentication information for all interfaces.
Field Description Anonymous 802.1X client anonymous identifier. identifier SSL client policy SSL client policy used by the 802.1X client feature. 802.1X client authentication state: • Init—The authentication process starts. • Connecting—The 802.1X client is connecting to the authenticator. FSM state •...
• TTLS-GTC. If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device uses the 802.1X client username at the first authentication phase. Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.
Default An Ethernet interface uses the interface's MAC address for 802.1X client authentication. If the interface's MAC address is unavailable, the interface uses the device's MAC address for 802.1X client authentication. Views Ethernet interface view Predefined user roles network-admin mdc-admin Parameters mac-address: Specifies a MAC address in the format of H-H-H, excluding multicast, all-zero, and all-F MAC addresses.
Parameters cipher: Specifies a password in encrypted form. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 127 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
If the MD5-Challenge authentication is used, the device does not use an SSL client policy during the authentication process. Examples #Specify SSL client policy policy_1 to be used by an 802.1X client-enabled device on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x supplicant ssl-client-policy policy_1 Related commands display dot1x supplicant...
Web authentication commands display web-auth Use display web-auth to display Web authentication configuration and running status on interfaces. Syntax display web-auth [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays Web authentication configuration for all interfaces.
Field Description Web-auth domain ISP domain used by Web authentication. Auth-Fail VLAN for Web authentication. This field displays Not Auth-fail VLAN configured if no Auth-Fail VLAN is configured. Interval of Web authentication user detection. This field displays Not Offline-detect configured if online detection for Web authentication users is disabled. Max online users Maximum number of Web authentication users allowed on the interface.
Predefined user roles network-admin network-operator mdc-admin mdc-operator Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. If you do not specify a Web authentication server, this command displays information about all Web authentication servers. Examples # Display information about Web authentication server aaa.
Page 857
network-operator mdc-admin mdc-operator Parameters interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about online Web authentication users on all interfaces. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online Web authentication user information for all cards.
Default No IP address or port number is specified for a Web authentication server. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters ipv4-address: Specifies the IPv4 address of the Web authentication server. This IP address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.
Default The redirection wait time is 5 seconds. Views Web authentication server view Predefined user roles network-admin mdc-admin Parameters period: Specifies the redirection wait time in the range of 1 to 90 seconds. Usage guidelines After a user passes Web authentication and is assigned an authorization VLAN, the user might need to change the IP address of the authentication client.
The IP address and port number in the URL must be the same as the IP address and port number of the Web authentication server. Examples # Specify http://192.168.1.1/portal/ as the redirection URL for Web authentication server wbs. <Sysname> system-view [Sysname] web-auth server wbs [Sysname-web-auth-server-wbs] url http://192.168.1.1:80/portal/ Related commands...
When you configure the parameter-name argument in this command, you must use the URL parameter name supported by the Web browser. Different Web browsers support different URL parameter names. Examples # Add parameters userip and userurl to the redirection URL of portal Web server wbs. <Sysname>...
Examples # Specify VLAN 5 as Web authentication Auth-Fail VLAN on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname–Ten-GigabitEthernet1/0/1] port link-type hybrid [Sysname–Ten-GigabitEthernet1/0/1] mac-vlan enable [Sysname–Ten-GigabitEthernet1/0/1] web-auth auth-fail vlan 5 Related commands display web-auth web-auth domain Use web-auth domain to specify an authentication domain for Web authentication users on an interface.
Syntax web-auth enable apply server server-name undo web-auth enable Default Web authentication is disabled. Views Layer 2 Ethernet interface view Predefined user roles network-admin mdc-admin Parameters server-name: Specifies the Web authentication server name, a case-sensitive string of 1 to 32 characters.
Parameters ip-address: Specifies the Web authentication-free subnet address. mask-length: Specifies the mask length of the Web authentication-free subnet address, in the range of 0 to 32. mask: Specifies a mask for the Web authentication-free subnet in dotted decimal notation. all: Specifies all Web authentication-free subnets. User guidelines Web authentication users can access resources in Web authentication-free subnets without being authenticated.
[Sysname-Ten-GigabitEthernet1/0/1] web-auth max-user 32 Related commands display web-auth web-auth offline-detect Use web-auth offline-detect to enable online detection of Web authentication users. Use undo web-auth max-user to disable online detection of Web authentication users. Syntax web-auth offline-detect interval interval undo web-auth offline-detect interval Default Online detection of Web authentication users is disabled.
Default No Web proxy server port numbers are configured on the device. Views System view Predefined user roles network-admin mdc-admin Parameters port number: Specifies a Web proxy server TCP port number, in the range of 1 to 65535. all: Specifies all Web proxy server TCP port numbers. User guidelines By default, proxied HTTP requests cannot trigger Web authentication but are silently dropped.
Page 867
Predefined user roles network-admin mdc-admin Parameters server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters. User guidelines In Web authentication server view, you can configure the following parameters and features for the Web authentication server: •...
Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 872
part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Index A B C D E F G H I K L M N O P Q R S T U V W arp restricted-forwarding enable,772 scan,776 authorization,500 sender-ip-range,778 authorization,537 source-mac,762 device-id,65 arp source-mac aging-time,763 aaa nas-id profile,1 arp source-mac exclude-mac,764 session-limit,2 arp source-mac...