Page 1: Command Reference
HP 6125XLG Blade Switch Security Command Reference Part number: 5998-3738 Software version: Release 2306 Document version: 6W100-20130912...
Page 2 HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Page 3: Table Of Contents
Contents AAA commands ··························································································································································· 1 General AAA commands ················································································································································· 1 accounting command ··············································································································································· 1 accounting default ···················································································································································· 2 accounting lan-access ·············································································································································· 3 accounting login ······················································································································································· 4 authentication default ··············································································································································· 5 authentication lan-access ········································································································································· 7 ...
Page 4 timer quiet (RADIUS scheme view) ······················································································································ 51 timer realtime-accounting (RADIUS scheme view) ····························································································· 52 timer response-timeout (RADIUS scheme view) ·································································································· 53 user-name-format (RADIUS scheme view) ··········································································································· 54 vpn-instance (RADIUS scheme view) ··················································································································· 55 HWTACACS commands ··············································································································································· 55 ...
Page 5 MAC authentication commands ····························································································································· 100 display mac-authentication ································································································································· 100 mac-authentication ·············································································································································· 102 mac-authentication domain ································································································································ 102 mac-authentication max-user ······························································································································ 103 mac-authentication timer ····································································································································· 104 mac-authentication user-name-format ················································································································ 105 reset mac-authentication statistics ······················································································································ 106 ...
Page 6 SSH commands ······················································································································································· 160 SSH server commands ················································································································································· 160 display ssh server ················································································································································ 160 display ssh user-information ······························································································································· 161 sftp server enable ················································································································································ 162 sftp server idle-timeout ········································································································································· 163 ssh server acl ······················································································································································· 163 ...
Page 7 ARP attack protection commands ·························································································································· 206 Unresolvable IP attack protection commands ··········································································································· 206 arp resolving-route enable ·································································································································· 206 arp source-suppression enable ·························································································································· 206 arp source-suppression limit ······························································································································· 207 display arp source-suppression ·························································································································· 208 ARP packet rate limit commands ································································································································ 208 ...
Page 8 ike-profile ······························································································································································ 249 ipsec anti-replay check ······································································································································· 249 ipsec anti-replay window ··································································································································· 250 ipsec decrypt-check enable ································································································································ 251 ipsec logging packet enable ······························································································································ 251 ipsec df-bit ···························································································································································· 252 ipsec global-df-bit ················································································································································ 253 ipsec { ipv6-policy | policy } (interface view) ·································································································· 254 ...
Page 9 match local address (IKE keychain view)·········································································································· 297 match local address (IKE profile view) ·············································································································· 298 match remote ······················································································································································· 299 pre-shared-key ······················································································································································ 301 priority (IKE keychain view) ································································································································ 302 priority (IKE profile view) ···································································································································· 303 proposal ·······························································································································································...
Page 10: Aaa Commands
AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands accounting command Use accounting command to specify the command line accounting method.
Page 11: Accounting Default
accounting default Use accounting default to specify the default accounting method for an ISP domain. Use undo accounting default to restore the default. Syntax In non-FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode:...
Page 12: Accounting Lan-Access
Examples # Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands hwtacacs scheme • local-user •...
Page 13: Accounting Login
when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. Examples # Configure ISP domain test to use local accounting for LAN users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting lan-access local # Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup.
Page 14: Authentication Default
local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines Accounting is not supported for login users who use FTP. You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
Page 15 authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default Default The default authentication method of an ISP domain is local. Views ISP domain view Predefined user roles...
Page 16: Authentication Lan-Access
authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default. Syntax In non-FIPS mode: authentication lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode: authentication lan-access { local | radius-scheme radius-scheme-name [ local ] }...
Page 17: Authentication Login
Related commands authentication default • local-user • • radius scheme authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default. Syntax In non-FIPS mode: authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication login...
Page 18: Authentication Super
authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid. Examples # Configure ISP domain test to use local authentication for login users. <Sysname>...
Page 19: Authorization Command
Usage guidelines You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role authentication, the method applies only to users whose user role is in the format of level-n.
Page 20: Authorization Default
Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role.
Page 21 authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default In FIPS mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }...
Page 22: Authorization Lan-Access
[Sysname-isp-test] authorization default radius-scheme rd local Related commands • hwtacacs scheme local-user • • radius scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. Syntax In non-FIPS mode: authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode:...
Page 23: Authorization Login
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization lan-access local # Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization lan-access radius-scheme rd local Related commands authorization default •...
Page 24: Display Domain
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods.
Page 25 Examples # Display the configuration of all ISP domains. <Sysname> display domain Total 2 domain(s) Domain:system State: Active Access-limit: Disable Access-Count: 0 default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Domain:dm State: Active Access-limit: 2222 Access-Count: 0 login Authentication Scheme: radius: rad...
Page 26: Domain
Field Description Command Authorization Scheme Command line authorization method. Command Accounting Scheme Command line accounting method. Super Authentication Scheme Authentication method for obtaining a temporary user role. domain Use domain to create an ISP domain and enter its view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name...
Page 27: Domain Default Enable
domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default The default ISP domain is the system-defined ISP domain system.
Page 28: Local User Commands
Default An ISP domain is in active state. Views ISP domain view Predefined user roles network-admin Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
Page 29 Views Local user view, user group view Predefined user roles network-admin Parameters acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL. idle-cut minute: Sets the idle timeout period.
Page 30: Bind-Attribute
user roles of the user. When you assign other user roles to a local user who has the security-audit user role, the system asks for your confirmation to delete the security-audit user role for the local user. Examples # Configure the authorized VLAN of the network access user abc as VLAN 2. <Sysname>...
Page 31: Display Local-User
mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN users. vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094.
Page 32 service-type: Specifies the local users who use a specified type of service. • ftp: FTP users. lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X • users. ssh: SSH users. • • telnet: Telnet users. terminal: Terminal users who log in through console ports.
Page 33: Display User-Group
Table 2 Command output Field Description State Status of the local user: active or blocked. Service types that the local user can use, including FTP, LAN access, SSH, Telnet, Service Type and terminal. User Group Group to which the local user belongs. Bind attributes Binding attributes of the local user.
Page 34: Group
Work Directory: flash:/ ACL Number: 2000 VLAN ID: Table 3 Command output Field Description Idle TimeOut Idle timeout period, in minutes. Work Directory Directory that FTP/SFTP/SCP users in the group can access. ACL Number Authorization ACL. VLAN ID Authorized VLAN. group Use group to assign a local user to a user group.
Page 35 Syntax local-user user-name [ class { manage | network } ] undo local-user { user-name class { manage | network } | all [ service-type { ftp | lan-access | ssh | telnet | terminal } | class { manage | network } ] } Default No local user exists.
Page 36: Password
service-type • password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax In non-FIPS mode: password [ { cipher | hash | simple } password ] undo password In FIPS mode: password Default...
Page 37: Service-Type
Examples # Set the password of the device management user user1 to 123456 in plain text. <Sysname> system-view [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] password simple 123456 # Set the password of the device management user test in interactive mode. <Sysname>...
Page 38: State (Local User View)
ssh: Authorizes the user to use the SSH service. telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service and log in from a console port. Usage guidelines You can assign multiple service types to a user. Examples # Authorize the device management user user1 to use the Telnet and FTP services.
Page 39: User-Group
user-group Use user-group to create a user group and enter its view. Use undo user-group to delete a user group. Syntax user-group group-name undo user-group group-name Default There is a user group named system in the system. Views System view Predefined user roles network-admin Parameters...
Page 40: Data-Flow-Format (Radius Scheme View)
Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds. send send-times: Specifies the maximum number of accounting-on packet transmission attempts.
Page 41: Display Radius Scheme
Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 42 ------------------------------------------------------------------ RADIUS Scheme Name : radius1 Index : 0 Primary Auth Server: : 2.2.2.2 Port: 1812 State: Active VPN : vpn1 Primary Acct Server: IP: 1.1.1.1 Port: 1813 State: Active VPN : Not configured Second Auth Server: IP: Not configured Port: 1812 State: Block VPN : Not configured...
Page 43: Display Radius Statistics
Field Description VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured. Server: n Member ID of the security policy server. IP address of the security policy server. VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured.
Page 44: Key (Radius Scheme View)
Auth. Acct. SessCtrl. Request Packet: Retry Packet: Timeout Packet: Access Challenge: Account Start: Account Update: Account Stop: Terminate Request: Set Policy: Packet With Response: Packet Without Response: Access Rejects: Dropped Packet: Check Failures: Table 5 Command output Field Description Auth. Authentication packets.
Page 45 Use undo key to restore the default. Syntax key { accounting | authentication } { cipher | simple } string undo key { accounting | authentication } Default No shared key is configured. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the shared key for secure RADIUS accounting communication.
Page 46: Nas-Ip (Radius Scheme View)
nas-ip (RADIUS scheme view) Use nas-ip to specify a source IP address for outgoing RADIUS packets. Use undo nas-ip to delete a source IP address for outgoing RADIUS packets. Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip [ ipv6 ] Default The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.
Page 47: Primary Accounting (Radius Scheme View)
primary accounting (RADIUS scheme view) Use primary accounting to specify the primary RADIUS accounting server. Use undo primary accounting to remove the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default...
Page 48: Primary Authentication (Radius Scheme View)
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out, and the device looks for an active server with the highest priority for accounting.
Page 49 port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting is 1812. key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.
Page 50: Radius Nas-Ip
radius nas-ip Use radius nas-ip to specify a source address for outgoing RADIUS packets. Use undo radius nas-ip to delete a source address for outgoing RADIUS packets. Syntax radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Page 51: Radius Scheme
radius scheme Use radius scheme to create a RADIUS scheme and enter its view. Use undo radius scheme to delete a RADIUS scheme. Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name Default If the switch uses the initial settings, no RADIUS scheme is defined. If the switch uses the default configuration file, a system-defined RADIUS scheme named system exists.
Page 52: Reset Radius Statistics
Views System view Predefined user roles network-admin Usage guidelines The session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC. Examples # Enable the session-control feature. <Sysname> system-view [Sysname] radius session-control enable reset radius statistics Use reset radius statistics to clear RADIUS statistics.
Page 53: Retry Realtime-Accounting
Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.
Page 54: Secondary Accounting (Radius Scheme View)
unexpected failure occurs. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting requests and enables the NAS to disconnect the user when a failure occurs.
Page 55 port-number: Specifies the service port number of the secondary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813. key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.
Page 56: Secondary Authentication (Radius Scheme View)
<Sysname> system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 [Sysname-radius-radius2] secondary accounting 10.110.1.2 1813 Related commands display radius scheme • key (RADIUS scheme view) • • primary accounting (RADIUS scheme view) vpn-instance (RADIUS scheme view) • secondary authentication (RADIUS scheme view) Use secondary authentication to specify a secondary RADIUS authentication server.
Page 57: Security-Policy-Server
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.
Page 58: State Primary
Use undo security-policy-server to remove a security policy server. Syntax security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo security-policy-server { { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | all } Default No security policy server is specified. Views RADIUS scheme view Predefined user roles...
Page 59: State Secondary
Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Usage guidelines During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state.
Page 60: Timer Quiet (Radius Scheme View)
port-number: Service port number of a secondary RADIUS server, a UDP port number in the range of 1 to 65535. The default port number of a secondary accounting server is 1813 and that of a secondary authentication is 1812. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Page 61: Timer Realtime-Accounting (Radius Scheme View)
Parameters minutes: Specifies the server quiet period in minutes, in the range of 1 to 255. Usage guidelines Make sure the server quiet timer is set correctly. Too short a quiet timer might result in frequent authentication or accounting failures because the device keeps attempting to communicate with an unreachable server that is in active state.
Page 62: Timer Response-Timeout (Radius Scheme View)
Number of users Real-time accounting interval 100 to 499 6 minutes 500 to 999 12 minutes 1000 or more 15 minutes or longer Examples # Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting...
Page 63: User-Name-Format (Radius Scheme View)
Related commands display radius scheme • retry • user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the username.
Page 64: Vpn-Instance (Radius Scheme View)
vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN for a RADIUS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network. Views RADIUS scheme view Predefined user roles network-admin Parameters vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.
Page 65: Display Hwtacacs Scheme
Views HWTACACS scheme view Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 66: Field Description
Usage guidelines If no HWTACACS scheme name is specified, the command displays the configuration of all HWTACACS schemes. Examples # Displays the configuration of all HWTACACS schemes. <Sysname> display hwtacacs scheme Total 1 TACACS schemes ------------------------------------------------------------------ HWTACACS Scheme Name : hwtac Index : 0 Primary Auth Server: : 2.2.2.2...
Page 67: Hwtacacs Nas-Ip
Field Description MPLS L3VPN to which the HWTACACS server or scheme belongs. If VPN Instance no VPN is specified for the server or scheme, this field displays Not configured. NAS IP Address Source IP address for outgoing HWTACACS packets. Server Quiet Period Quiet period for the primary servers, in minutes.
Page 68: Hwtacacs Scheme
Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS. If yes, the server processes the packet. If not, the server drops the packet. You can specify up to 16 source IP addresses, including zero or one public-network source IPv4 address, zero or one public-network source IPv6 address, and private-network source IP addresses.
Page 69: Key (Hwtacacs Scheme View)
Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication | authorization } { cipher | simple } string undo key { accounting | authentication | authorization } Default No shared key is configured.
Page 70: Nas-Ip (Hwtacacs Scheme View)
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456 # Set the shared key for secure HWTACACS authorization communication to ok in plain text. [Sysname-hwtacacs-hwt1] key authorization simple ok # Set the shared key for secure HWTACACS accounting communication to hello in plain text. [Sysname-hwtacacs-hwt1] key accounting simple hello Related commands display hwtacacs scheme...
Page 71: Primary Accounting (Hwtacacs Scheme View)
<Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1 Related commands hwtacacs nas-ip primary accounting (HWTACACS scheme view) Use primary accounting to specify the primary HWTACACS accounting server. Use undo primary accounting to remove the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default...
Page 72: Primary Authentication (Hwtacacs Scheme View)
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
Page 73: Primary Authorization
key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server. cipher string: Sets a ciphertext shared key. The string argument is case sensitive. • In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.
Page 74 Syntax primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary authorization Default No primary HWTACACS authorization server is specified. Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.
Page 75: Reset Hwtacacs Statistics
Examples # Specify the primary accounting server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple abc Related commands display hwtacacs scheme •...
Page 76 undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] Default No secondary HWTACACS accounting server is specified. Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.
Page 77: Secondary Authentication (Hwtacacs Scheme View)
For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext. Examples # Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1. <Sysname>...
Page 78: Secondary Authorization
In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain numbers, uppercase letters, lowercase letters, and special characters. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Page 79 Syntax secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ] Default No secondary HWTACACS authorization server is specified.
Page 80: Timer Quiet (Hwtacacs Scheme View)
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Page 81: Timer Realtime-Accounting (Hwtacacs Scheme View)
Related commands display hwtacacs scheme timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting minutes undo timer realtime-accounting Default The real-time accounting interval is 12 minutes. Views HWTACACS scheme view Predefined user roles...
Page 82: Timer Response-Timeout (Hwtacacs Scheme View)
timer response-timeout (HWTACACS scheme view) Use timer response-timeout to set the HWTACACS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Predefined user roles...
Page 83: Vpn-Instance (Hwtacacs Scheme View)
Predefined user roles network-admin Parameters keep-original: Sends the username to the HWTACACS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server. without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server. Usage guidelines A username is typically in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.
Page 84: Ldap Commands
Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no VPN is specified. Examples # Specify VPN test for HWTACACS scheme hwt1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] vpn-instance test Related commands display hwtacacs scheme LDAP commands authentication-server...
Page 85: Display Ldap Scheme
ldap server • display ldap scheme Use display ldap scheme to display the LDAP scheme configuration. Syntax display ldap scheme [ scheme-name ] Views Any view Predefined user roles network-admin network-operator Parameters scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no LDAP scheme name is not specified, the command displays the configuration of all LDAP schemes.
Page 86 Field Description IP address of the LDAP authentication server. If no authentication server is specified, this field displays 0.0.0.0. Port number of the authentication server. If no port number is specified, Port this field displays the default port number. VPN to which the LDAP server belongs. If no VPN is specified, this field VPN Instance displays Not configured.
Page 87: Ipv6
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
Page 88: Ldap Scheme
If you change the IP address and port number of the LDAP authentication server, the change is effective only for LDAP authentication that occurs after your change. Examples # Specify the IP address and port number of the LDAP authentication server as 192.168.0.10. <Sysname>...
Page 89: Login-Dn
Syntax ldap server server-name undo ldap server server-name Default No LDAP server exists. Views System view Predefined user roles network-admin Parameters server-name: LDAP server name, a case-insensitive string of 1 to 64 characters. Examples # Create an LDAP server ccc and enter its view. <Sysname>...
Page 90: Login-Password
Examples # Specify the administrator DN as uid=test, ou=people, o=example, c=city. <Sysname> system-view [Sysname] ldap server ldap1 [Sysname-ldap-server-ldap1] login-dn uid=test,ou=people,o=example,c=city Related commands display ldap scheme login-password Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.
Page 91: Protocol-Version
protocol-version Use protocol-version to specify the LDAP version. Use undo protocol-version to restore the default. Syntax protocol-version { v2 | v3 } undo protocol-version Default The LDAP version is LDAPv3. Views LDAP server view Predefined user roles network-admin Parameters v2: Specifies the LDAP version LDAPv2. v3: Specifies the LDAP version LDAPv3.
Page 92: Search-Scope
Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters. Examples # Specify the base DN for user search as dc=ldap,dc=com. <Sysname>...
Page 93: Server-Timeout
Related commands display ldap scheme • ldap server • server-timeout Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response. Use undo server-timeout to restore the default. Syntax server-timeout time-interval undo server-timeout Default The LDAP server timeout period is 10 seconds.
Page 94 Default The username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used. Views LDAP server view Predefined user roles network-admin Parameters user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters.
Page 95: 802.1X Commands
802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics. interface interface-type interface-number: Specifies an interface by its type and number.
Page 96 802.1X multicast-trigger is enabled Mandatory authentication domain: Not configured Max online users is 256 EAPOL Packets: Tx 1087, Rx 986 Sent EAP Request/Identity Packets : 943 EAP Request/Challenge Packets: 60 EAP Success Packets: 29, Fail Packets: 55 Received EAPOL Start Packets : 60 EAPOL LogOff Packets: 24 EAP Response/Identity Packets : 724 EAP Response/Challenge Packets: 54...
Page 97: Dot1X
Field Description The port is an authenticator Role of the port. Authorization state of the port, which can be Force-Authorized, Auto, Authenticate mode is Auto or Force-Unauthorized. Access control method of the port. MAC-based—MAC-based access Port access control type is control.
Page 98: Dot1X Authentication-Method
Examples # Enable 802.1X globally. <Sysname> system-view [Sysname] dot1x # Enable 802.1X on Ten-GigabitEthernet 1/1/6. [Sysname] interface ten-gigabitethernet 1/1/6 [Sysname-Ten-GigabitEthernet1/1/6] dot1x [Sysname-Ten-GigabitEthernet1/1/6] quit Related commands display dot1x dot1x authentication-method Use dot1x authentication-method to specify an EAP message handling method. Use undo dot1x authentication-method to restore the default. Syntax dot1x authentication-method { chap | eap | pap } undo dot1x authentication-method...
Page 99: Dot1X Handshake
PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an HP iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.
Page 100: Dot1X Mandatory-Domain
[Sysname] interface ten-gigabitethernet 1/1/6 [Sysname-Ten-GigabitEthernet1/1/6] dot1x handshake Related commands display dot1x • dot1x timer handshake-period • dot1x retry • dot1x mandatory-domain Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port. Use undo dot1x mandatory-domain to remove the mandatory authentication domain. Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain...
Page 101: Dot1X Multicast-Trigger
Syntax dot1x max-user user-number undo dot1x max-user Default The maximum number of concurrent 802.1X users on a port is 256. Views Ethernet interface view Predefined user roles network-admin Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 256.
Page 102: Dot1X Port-Control
Usage guidelines The multicast trigger function enables the device to act as the initiator and periodically multicast Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication. You can use the dot1x timer tx-period command to set the interval for sending multicast Identify EAP-Request packets. Examples # Enable the multicast trigger function on Ten-GigabitEthernet 1/1/6.
Page 103: Dot1X Port-Method
<Sysname> system-view [Sysname] interface ten-gigabitethernet 1/1/6 [Sysname-Ten-GigabitEthernet1/1/6] dot1x port-control unauthorized-force Related commands display dot1x dot1x port-method Use dot1x port-method to specify an access control method for the port. Use undo dot1x port-method to restore the default. Syntax dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies.
Page 104: Dot1X Re-Authenticate
undo dot1x quiet-period Default The quiet timer is disabled. Views System view Predefined user roles network-admin Usage guidelines When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quieter timer.
Page 105: Dot1X Retry
Examples # Enable the 802.1X periodic online user re-authentication function on Ten-GigabitEthernet 1/1/6 and set the periodic re-authentication interval to 1800 seconds. <Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface ten-gigabitethernet 1/1/6 [Sysname-Ten-GigabitEthernet1/1/6] dot1x re-authenticate Related commands display dot1x •...
Page 106: Dot1X Timer
dot1x timer Use dot1x timer to set 802.1X timers. Use undo dot1x timer to restore the defaults. Syntax dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value server-timeout server-timeout-value supp-timeout supp-timeout-value | tx-period tx-period-value } undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period } Default The handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is...
Page 107: Dot1X Unicast-Trigger
Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device • periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer applies to the users that have been online only after the old timer expires. •...
Page 108: Reset Dot1X Statistics
Examples # Enable the unicast trigger function on Ten-GigabitEthernet 1/1/6. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/1/6 [Sysname-Ten-GigabitEthernet1/1/6] dot1x unicast-trigger Related commands display dot1x • dot1x multicast-trigger • dot1x retry • • dot1x timer reset dot1x statistics Use reset dot1x statistics to clear 802.1X statistics. Syntax reset dot1x statistics [ interface interface-type interface-number ] Views...
Page 109: Mac Authentication Commands
MAC authentication commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including the global settings, port-specific settings, MAC authentication statistics, and online user statistics. Syntax display mac-authentication [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters...
Page 110 MAC Addr Auth state 00e0-fc12-3456 authenticated Table 11 Command output Field Description MAC authentication is enabled Indicates whether MAC authentication is enabled globally. User account type: MAC-based or shared. • If MAC-based accounts are used, this field displays "User name format is MAC address…"...
Page 111: Mac-Authentication
Field Description MAC Addr MAC address of the online user. User status: • Auth state authenticated—The user has passed MAC authentication. • unauthenticated—The user failed MAC authentication. mac-authentication Use mac-authentication to enable MAC authentication globally or on a specific port. Use undo mac-authentication to disable MAC authentication globally or on a specific port.
Page 112: Mac-Authentication Max-User
undo mac-authentication domain Default No authentication domain is specified for MAC authentication users. The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands." Views System view, Ethernet interface view Predefined user roles network-admin Parameters...
Page 113: Mac-Authentication Timer
Views Ethernet interface view Predefined user roles network-admin Parameters user-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range is 1 to 256. Examples # Configure port Ten-GigabitEthernet 1/1/6 to support up to 32 concurrent MAC authentication users. <Sysname>...
Page 114: Mac-Authentication User-Name-Format
Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication • for a user who has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.
Page 115: Reset Mac-Authentication Statistics
mac-address: Uses MAC-based user accounts for MAC authentication users. You can also specify the format of username and password: with-hyphen—Hyphenates the MAC address, for example xx-xx-xx-xx-xx-xx. • without-hyphen—Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx. • lowercase—Enters letters in lower case. •...
Page 116 Usage guidelines If no port is specified, the command clears all global and port-specific MAC authentication statistics. Examples # Clear MAC authentication statistics on port Ten-GigabitEthernet 1/1/6. <Sysname> reset mac-authentication statistics interface ten-gigabitethernet 1/1/6 Related commands display mac-authentication...
Page 117: Port Security Commands
Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. Usage guidelines If no port is specified, this command displays port security information for all ports.
Page 118 Authorization is permitted Table 12 Command output Field Description AutoLearn aging time Sticky MAC address aging timer, in minutes. Disableport Timeout Silence period (in seconds) of the port that receives illegal packets. OUI value List of OUI values allowed for authentication. Port security mode: •...
Page 119: Display Port-Security Mac-Address Block
Field Description Indicates whether the authorization information from the authentication server (RADIUS server or local device) is ignored or not: • Authorization permitted—Authorization information from the authentication server takes effect. • ignored—Authorization information from the authentication server does not take effect. display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.
Page 120 --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses. <Sysname> display port-security mac-address block count --- 2 mac address(es) found --- # (IRF devices) Display the count of all blocked MAC addresses. <Sysname> display port-security mac-address block count --- On slot 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 1.
Page 121: Display Port-Security Mac-Address Security
1 mac address(es) found # (IRF devices) Display information about all blocked MAC addresses of port Ten-GigabitEthernet 1/1/6 in VLAN 30. <Sysname> display port-security mac-address block interface ten-gigabitethernet 1/1/6 vlan 30 MAC ADDR Port VLAN ID 000f-3d80-0d2d Ten-GigabitEthernet 1/1/6 --- On slot 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- Table 13 Command output Field...
Page 122 Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command. Examples # Display information about all secure MAC addresses. <Sysname> display port-security mac-address security MAC ADDR VLAN ID STATE PORT INDEX AGING...
Page 123: Port-Security Authorization Ignore
Field Description PORT INDEX Port to which the secure MAC address belongs. Period of time before the secure MAC address ages out. • If the secure MAC address is a static MAC address, this field displays NOAGED. AGING TIME • If the secure MAC address is a sticky MAC address, this field displays the remaining lifetime in minutes.
Page 124: Port-Security Enable
port-security enable Use port-security enable to enable port security. Use undo port-security enable to disable port security. Syntax port-security enable undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: 802.1X access control mode is MAC-based, and the port authorization state is auto.
Page 125: Port-Security Mac-Address Security
Default Intrusion protection is disabled. Views Ethernet interface view Predefined user roles network-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port.
Page 126 undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured. Views Ethernet interface view, system view Predefined user roles network-admin Parameters sticky mac-address: Specifies a sticky MAC address, in H-H-H format. If you do not provide this keyword, the command configures a static secure MAC address.
Page 127: Port-Security Max-Mac-Count
# Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address. [Sysname-Ten-GigabitEthernet1/1/6] port-security mac-address security sticky 0001-0002-0003 vlan 4 [Sysname-Ten-GigabitEthernet1/1/6] quit # In system view, specify MAC address 0001-0001-0002 in VLAN 10 as a secure MAC address for port Ten-GigabitEthernet 1/1/6.
Page 128: Port-Security Ntk-Mode
[Sysname] interface ten-gigabitethernet 1/1/6 [Sysname-Ten-GigabitEthernet1/1/6] port-security max-mac-count 100 Related commands display port-security port-security ntk-mode Use port-security ntk-mode to configure the NTK feature. Use undo port-security ntk-mode to restore the default. Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default NTK is disabled on a port and all frames are allowed to be sent.
Page 129: Port-Security Port-Mode
Use undo port-security oui to delete the OUI value with the specified OUI index. Syntax port-security oui index index-value mac-address oui-value undo port-security oui index index-value Default No OUI value is configured. Views System view Predefined user roles network-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16.
Page 130 Default A port operates in noRestriction mode, where port security does not take effect. Views Interface view Predefined user roles network-admin Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address but to the secure MAC address table as secure MAC addresses.
Page 131 Keyword Security mode Description In this mode, a port performs 802.1X authentication and implements port-based access control. userlogin userLogin If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. In this mode, a port performs 802.1X authentication and userlogin-secure userLoginSecure implements MAC-based access control.
Page 132: Port-Security Timer Autolearn Aging
# Change the port security mode of port Ten-GigabitEthernet 1/1/6 to userLogin. [Sysname-Ten-GigabitEthernet1/1/6] undo port-security port-mode [Sysname-Ten-GigabitEthernet1/1/6] port-security port-mode userlogin Related commands display port-security • • port-security max-mac-count port-security timer autolearn aging Use port-security timer autolearn aging to set the secure MAC aging timer. Use undo port-security timer autolearn aging to restore the default.
Page 133 Syntax port-security timer disableport time-value undo port-security timer disableport Default The port silence period is 20 seconds. Views System view Predefined user roles network-admin Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.
Page 134: Password Control Commands
Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.
Page 135: Display Password-Control Blacklist
Password composition: Enabled (1 types, 1 characters per type) Table 15 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time. Whether the minimum password length restriction function is enabled Password length and, if enabled, the setting.
Page 136: Password-Control { Aging | Composition | History | Length } Enable
ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist. If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist.
Page 137: Password-Control Aging
Views System view Predefined user roles network-admin Parameters aging: Enables the password expiration function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines Before you enable a specific password control function, you must first enable the global password control feature.
Page 138: Password-Control Alert-Before-Expire
Default A password expires after 90 days. The password expiration time of a user group equals the global setting, and the password expiration time of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Predefined user roles...
Page 139: Password-Control Complexity
Default The default is 7 days. Views System view Predefined user roles network-admin Parameters alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30. Usage guidelines FTP users can only have their passwords changed by the administrator.
Page 140: Password-Control Composition
Usage guidelines You can enable both username checking and repeated character checking. After the password complexity checking is enabled, complexity-incompliant passwords will be refused. Examples # Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username. <Sysname>...
Page 141 Table 17 Special characters Character name Symbol Character name Symbol Ampersand sign & Apostrophe Asterisk At sign Back quote Back slash Blank space Caret Colon Comma Dollar sign Equal sign Exclamation point Left angle bracket < Left brace Left bracket Left parenthesis Minus sign Percent sign...
Page 142: Password-Control Enable
[Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control composition type-number 3 type-length 5 Related commands display password-control • password-control composition enable • password-control enable Use password-control enable to enable the password control feature globally. Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable...
Page 143: Password-Control History
Default A user can log in three times within 30 days after the password expires. Views System view Predefined user roles network-admin Parameters delay delay: Sets the maximum number of days during which a user can log in using an expired password.
Page 144: Password-Control Length
Usage guidelines When the number of history password records reaches the set maximum number, the subsequent history record overwrites the earliest one. The system stops recording passwords after you execute the undo password-control history enable command, but it does not delete the prior records. To clear these records, use the undo password-control enable command to disable the password control feature globally or use the reset password-control history-record command to clear the passwords manually.
Page 145: Password-Control Login Idle-Time
A minimum password length with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user. If no minimum password length is configured for the local user, the system uses the minimum password length for the user group. If no minimum password length is configured for the user group, the system uses the global minimum password length.
Page 146: Password-Control Login-Attempt
Examples # Set the maximum account idle time to 30 days. <Sysname> system-view [Sysname] password-control login idle-time 30 Related commands display password-control password-control login-attempt Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default.
Page 147: Password-Control Super Aging
If not prohibited from logging in, a username is removed from the password control blacklist when • the user logs in to the system successfully. The password-control login-attempt command takes effect immediately after being executed, and it can affect the users already in the password control blacklist. Examples # Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the user fails to log in after four attempts.
Page 148: Password-Control Super Composition
Default A super password expires after 90 days. Views System view Predefined user roles network-admin Parameters aging-time: Specifies the super password expiration time in days, in the range of 1 to 365. Examples # Set the super passwords to expire after 10 days. <Sysname>...
Page 149: Password-Control Super Length
Usage guidelines The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of the super password. Examples # Specify that a super password must contain at least three character types and at least five characters for each type.
Page 150: Password-Control Update-Interval
password-control update-interval Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords. Use undo password-control update-interval to restore the default. Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours.
Page 151: Reset Password-Control History-Record
Parameters user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 55 characters. Usage guidelines For a user blacklisted due to excessive login attempts, you can use this command to remove the user from the password control blacklist and allow the user to log in again.
Page 152: Public Key Management Commands
Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
Page 153 Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2012/06/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2012/06/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys.
Page 154 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2012/06/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2012/06/12...
Page 155 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2012/06/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
Page 156: Display Public-Key Peer
display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.
Page 157: Peer-Public-Key End
Field Description Key code Public key string. # Display brief information about all peer public keys. <Sysname> display public-key peer brief Type Modulus Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 20 Command output Field Description Type Key type: RSA and DSA. Modulus Key modulus length in bits.
Page 158: Public-Key Local Create
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818 100C0EC8014F82515F6335A0A [Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E 719D1643135877E13B1C531B4 [Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B 952ADF6B80EB5F52698FCF3D6 [Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050 BD4A9B1DDE675AC30CB020301 [Sysname-pkey-public-key-key1]0001 [Sysname-pkey-public-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public display public-key peer • • public-key peer public-key local create Use public-key local create to create local asymmetric key pairs. Syntax public-key local create { dsa | ecdsa | rsa } [ name key-name ] Default...
Page 159 Usage guidelines The key algorithm must be the same as required by the security application. The key modulus length must be appropriate (see Table 22). The longer the key modulus length, the higher the security, and the longer the key generation time. If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.
Page 160 ..++++++++ ..++++++++ Create the key pair successfully. # Create a local DSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 161: Public-Key Local Destroy
......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the name ecdsa1. <Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully. # Create a local RSA key pair with the default name in FIPS mode. <Sysname>...
Page 162 Views System view Predefined user roles network-admin Parameters dsa: Specifies the DSA type. ecdsa: Specifies the ECDSA type. rsa: Specifies the RSA type. name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Page 163: Public-Key Local Export Dsa
Related commands public-key local create public-key local export dsa Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file. Syntax public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ] Views System view Predefined user roles...
Page 164 <Sysname> system-view [Sysname] public-key local export dsa openssh key.pub # Display the host public key of the local DSA key pair with the default name in SSH2.0 format. <Sysname> system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-2012/06/12"...
Page 165: Public-Key Local Export Rsa
bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98 qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEY ZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key Related commands public-key local create • • public-key peer import sshkey public-key local export rsa Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file. Syntax In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]...
Page 166 Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey and its subfolders. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode.
Page 167: Public-Key Peer
q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8b a8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key Related commands public-key local create • public-key peer import sshkey • public-key peer Use public-key peer to specify a name for a peer public key and enter public key view. Use undo public-key peer to delete a peer public key. Syntax public-key peer keyname undo public-key peer keyname...
Page 168: Public-Key Peer Import Sshkey
public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public key.
Page 169: Ssh Commands
SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 170: Display Ssh User-Information
Field Description SSH server key generating interval SSH server key pair update interval. Maximum number of authentication attempts for SSH SSH authentication retries users. SFTP server Whether the SFTP server function is enabled. SFTP server Idle-Timeout SFTP connection idle timeout timer. # Display the SSH server sessions.
Page 171: Sftp Server Enable
Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Page 172: Sftp Server Idle-Timeout
Predefined user roles network-admin Examples # Enable the SFTP server function. <Sysname> system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.
Page 173: Ssh Server Authentication-Retries
Syntax ssh server acl acl-number undo ssh server acl Default An SSH server allows all IPv4 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL by its number in the range of 2000 to 4999. Usage guidelines You can use this command to filter the IPv4 SSH clients' request packets by referencing an ACL: If the ACL has rules configured, only the IPv4 SSH clients whose request packets match the permit...
Page 174: Ssh Server Authentication-Timeout
Views System view Predefined user roles network-admin Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Usage guidelines You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only on the users at next login.
Page 175: Ssh Server Compatible-Ssh1X Enable
Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended. Examples # Set the SSH user authentication timeout timer to 10 seconds.
Page 176: Ssh Server Ipv6 Acl
Use undo ssh server enable to disable the SSH server function. Syntax ssh server enable undo ssh server enable Default SSH server function is disabled. Views System view Predefined user roles network-admin Examples # Enable SSH server function. <Sysname> system-view [Sysname] ssh server enable Related commands display ssh server...
Page 177: Ssh Server Rekey-Interval
If the ACL does not exist, or the ACL does not have any statement, all the IPv6 SSH clients can access • the server. The ACL filters only new SSH connections after the configuration. If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure ACL 2001 and reference the ACL to allow only the IPv6 SSH client at 1::1 to access the server.
Page 178: Ssh User
Related commands display ssh server ssh user Use ssh user to create an SSH user and specify the service type and authentication method. Use undo ssh user to delete an SSH user. Syntax In non-FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } undo ssh user username In FIPS mode:...
Page 179 This authentication method is easy to use. If this method is configured, the authentication process completes automatically without the need of entering any password. assign publickey keyname: Assigns an existing host public key to an SSH user. The keyname argument is a string of 1 to 64 characters.
Page 180: Ssh Client Commands
SSH client commands Use bye to terminate the connection with an SFTP server and return to user view. Syntax Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp>...
Page 181: Cdup
cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp>...
Page 182: Dir
Use dir to display information about the files and sub-directories under a directory. Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays detailed information about the files and sub-directories under a directory in the form of a list.
Page 183: Display Sftp Client Source
display sftp client source Use display sftp client source to display the source IP address or source interface configured for the SFTP client. Syntax display sftp client source Views Any view Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the SFTP client. <Sysname>...
Page 184: Exit
exit Use exit to terminate the connection with an SFTP server and return to user view. Syntax exit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server. sftp>...
Page 185 Views SFTP client view Predefined user roles network-admin Usage guidelines The help command functions as entering the question mark (?). Examples # Display help information. sftp> help Available commands: Quit sftp cd [path] Change remote directory to 'path' cdup Change remote directory to the parent directory delete path Delete remote file dir [-a|-l][path]...
Page 186: Mkdir
Parameters -a: Displays the names of the files and sub-directories under a directory. -l: Displays detailed information about the files and sub-directories under a directory in the form of a list. remote-path: Specifies the name of the directory to be queried. Usage guidelines If the –a and –l keywords are not specified, the command displays the names of the files and sub-directories under a directory.
Page 187: Put
Parameters remote-path: Specifies the name for the directory on an SFTP server Examples # Create a directory named test on the SFTP server. sftp> mkdir test Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Predefined user roles...
Page 188: Quit
quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp>...
Page 189: Rmdir
Views SFTP client view Predefined user roles network-admin Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory. Examples # Change the name of a file on the SFTP server from temp1.c to temp2.c. sftp>...
Page 190 In FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip ip-address } ] * Views...
Page 191: Scp Ipv6
sha1-96: Specifies the HMAC algorithm hmac-sha1-96. • prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode and is dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1. •...
Page 192 sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * In FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key rsa | prefer-compress zlib |...
Page 193 des: Specifies the encryption algorithm des-cbc. • prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. •...
Page 194: Sftp
sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number s | ip ip-address } ]...
Page 195 prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. •...
Page 196: Sftp Client Ipv6 Source
sftp client ipv6 source Use sftp client ipv6 source to specify the source IPv6 address or source interface for the SFTP client. Use undo sftp client ipv6 source to remove the configuration. Syntax sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo sftp client ipv6 source Default The SFTP client uses the IPv6 address of the interface specified by the route of the device to access the...
Page 197: Sftp Ipv6
Syntax sftp client source { interface interface-type interface-number | ip ip-address } undo sftp client source Default The SFTP client uses the IPv4 address of the interface specified by the route of the device to access the SFTP server. Views System view Predefined user roles network-admin...
Page 198 In FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views...
Page 199: Ssh Client Ipv6 Source
prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode and is dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
Page 200: Ssh Client Source
Default The Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server. Views System view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies the IPv6 address of the interface which matches the destination address of the outbound packets using the longest match criteria as the source IPv6 address.
Page 201: Ssh2
Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies the primary IP address of the interface as the source address. The interface-type interface-number argument specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address. Usage guidelines The Stelnet client uses the specified source address to communicate with the server.
Page 202 Predefined user roles network-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Page 203: Ssh2 Ipv6
faults, use the specified loopback interface as the source interface, and either IP address of the two interfaces as the source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address to send packets. ip ip-address: Specifies a source IPv4 address.
Page 204 Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Page 205 source: Specifies a source IP address or source interface to connect to the server. By default, the device automatically selects the source IP address from the routing table. To avoid the communication failure between the client and the server due to interface faults, use the specified loopback interface as the source interface, and either IP address of the two interfaces as the source IP address.
Page 206: Ip Source Guard Commands
IP source guard commands display ip source binding Use display ip source binding to display IPv4 source guard binding entries. Syntax display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] Views Any view...
Page 207: Display Ipv6 Source Binding Static
Examples # Display IPv4 source guard binding entries on all interfaces on the public network. <Sysname> display ip source binding Total entries found: 5 IP Address MAC Address Interface VLAN Type 10.1.0.5 040a-0000-4000 XGE1/1/5 DHCP snooping 10.1.0.6 040a-0000-3000 XGE1/1/5 DHCP snooping 10.1.0.7 040a-0000-2000 XGE1/1/5 DHCP snooping...
Page 208: Ip Source Binding
Parameters ip-address ipv6-address: Displays static IPv6 source guard binding entries for an IPv6 address. mac-address mac-address: Displays static IPv6 source guard binding entries for a MAC address. The MAC address must be specified in H-H-H format. vlan vlan-id: Displays static IPv6 source guard binding entries for a VLAN. The vlan-id argument is the bound VLAN ID, in the range of 1 to 4094.
Page 209: Ip Verify Source
Syntax ip source binding ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ] undo ip source binding ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ] Default No static IPv4 source guard binding entry is configured on an interface. Views Ethernet interface view, VLAN interface view Predefined user roles...
Page 210 Syntax ip verify source ip-address [ mac-address ] undo ip verify source Default The IPv4 source guard function is disabled on an interface. Views Ethernet interface view, VLAN interface view Predefined user roles network-admin Parameters ip-address: Binds source IPv4 addresses to the interface. With this keyword specified, IP source guard filters packets received on the interface according to the source IPv4 addresses of the packets.
Page 211: Ipv6 Source Binding
Related commands display ip source binding ipv6 source binding Use ipv6 source binding to configure a static IPv6 source guard binding entry. Use undo ipv6 source binding to delete the static IPv6 source guard binding entries configured on the interface. Syntax ipv6 source binding ip-address ipv6-address [ mac-address mac-address ] [ vlan vlan-id ] undo ipv6 source binding ip-address ipv6-address [ mac-address mac-address ] [ vlan vlan-id ]...
Page 212: Ipv6 Verify Source
ipv6 verify source Use ipv6 verify source to enable the IPv6 source guard function. Use undo ipv6 verify source to restore the default. Syntax ipv6 verify source ip-address [ mac-address ] undo ipv6 verify source Default The IPv6 source guard function is disabled on an interface. Views Ethernet interface view, VLAN interface view Predefined user roles...
Page 213: Reset Ipv6 Source Binding
Syntax reset ip source binding [ static [ ip-address ip-address ] | [ vpn-instance vpn-instance-name ] [ { dhcp-relay | dhcp-server | dhcp-snooping } [ ip-address ip-address ] ] ] Views User view Predefined user roles network-admin Parameters static: Clears static IPv4 source guard binding entries. vpn-instance vpn-instance-name: Clears dynamic IPv4 source guard binding entries for a VPN.
Page 214 Syntax reset ipv6 source binding [ static [ ip-address ipv6-address ] ] Views User view Predefined user roles network-admin Parameters static: Clears static IPv6 source guard binding entries. ip-address ipv6-address: Clears IPv6 source guard binding entries for an IPv6 address. Usage guidelines If you do not specify any parameter, the command clears all IPv6 source guard binding entries.
Page 215: Arp Attack Protection Commands
ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable ARP black hole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP black hole routing is enabled.
Page 216: Arp Source-Suppression Limit
undo arp source-suppression enable Default ARP source suppression function is disabled. Views System view Predefined user role network-admin Usage guidelines Configure this feature on the gateway devices. Examples # Enable the ARP source suppression function. <Sysname> system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit...
Page 217: Display Arp Source-Suppression
<Sysname> system-view [Sysname] arp source-suppression limit 100 Related commands display arp source-suppression. display arp source-suppression Use display arp source-suppression to display information about the current ARP source suppression configuration. Syntax display arp source-suppression Views Any view Predefined user roles network-admin network-operator Examples # Display information about the current ARP source suppression configuration.
Page 218: Source Mac-Based Arp Attack Detection Commands
Views Ethernet interface view, aggregate interface view Predefined user roles network-admin Parameters pps: Specifies the upper limit for ARP packet rate in pps, in the range of 5 to 200. Examples # Specify the maximum ARP packet rate on Ten-GigabitEthernet 1/1/5 as 50 pps. <Sysname>...
Page 219: Arp Source-Mac Aging-Time
If neither the filter nor the monitor keyword is specified in the undo arp anti-attack source-mac command, both handling methods are disabled. Examples # Enable the source MAC-based ARP attack detection and specify the filter handling method. <Sysname> system-view [Sysname] arp source-mac filter arp source-mac aging-time Use arp source-mac aging-time to configure the aging time for ARP attack entries.
Page 220: Arp Source-Mac Threshold
Predefined user roles network-admin Parameters mac-address&<1- 1 0>: MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. &<1- 1 0> indicates the number of excluded MAC addresses that you can configure. Usage guidelines If you do not specify any MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.
Page 221: Arp Packet Source Mac Consistency Check Commands
Syntax display arp source-mac { slot slot-number | interface interface-type interface-number } Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Displays ARP attack entries detected on the specified interface. slot slot-number: Displays ARP attack entries detected on an IRF member device. The slot-number argument specifies the ID of the IRF member device.
Page 222: Arp Active Acknowledgement Commands
Views System view Predefined user roles network-admin Usage guidelines Configure this feature on gateway devices. After you execute this command, the gateway device can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. Examples # Enable ARP packet source MAC address consistency check.
Page 223: Arp Detection Commands
ARP detection commands arp detection enable Use arp detection enable to enable ARP detection. Use undo arp detection enable to restore the default. Syntax arp detection enable undo arp detection enable Default ARP detection is disabled. Views VLAN view Predefined user roles network-admin Examples # Enable ARP detection for VLAN 2.
Page 224: Arp Detection Validate
arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line. Use undo arp detection validate to disable ARP packet validity check. If you do not specify any keyword, this command deletes all objects.
Page 225: Display Arp Detection
Views VLAN view Predefined user roles network-admin Examples # Enable ARP restricted forwarding in VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] arp restricted-forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views...
Page 226: Reset Arp Detection Statistics
Parameters interface interface-type interface-number: Displays the ARP detection statistics of a specific interface. Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP detection statistics for all the interfaces.
Page 227: Arp Automatic Scanning And Fixed Arp Commands
Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Clears the ARP detection statistics for the specified interface. Usage guidelines If you do not specify any interface, this command clears the statistics of all the interfaces. Examples # Clear the ARP detection statistics of all the interfaces. <Sysname>...
Page 228: Arp Scan
[Sysname] arp fixup arp scan Use arp scan to enable ARP automatic scanning in the specified address range. Syntax arp scan [ start-ip-address to end-ip-address ] Views VLAN interface view Predefined user roles network-admin Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range.
Page 229: Arp Gateway Protection Commands
ARP gateway protection commands arp filter source Use arp filter source to enable ARP gateway protection for a specific gateway. Use undo arp filter source to disable ARP gateway protection for a specific gateway. Syntax arp filter source ip-address undo arp filter source ip-address Default ARP gateway protection is disabled.
Page 230 Views Ethernet interface view, aggregate interface view Predefined user roles network-admin Parameters ip-address: Permitted sender IP address. mac-address: Permitted sender MAC address. Usage guidelines You can configure up to eight ARP permitted entries on an interface. You cannot configure both the arp filter source and arp filter binding commands on the same interface. Examples # Configure an ARP permitted entry.
Page 231: Urpf Commands
uRPF commands ip urpf Use ip urpf to enable uRPF. Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin Parameters loose: Enables loose uRPF check.
Page 232: Display Ip Urpf
Related commands display ip urpf display ip urpf Use display ip urpf to display uRPF configuration. Syntax display ip urpf [ slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies an IRF member device. The slot number argument specifies the ID of the IRF member device.
Page 233: Fips Commands
FIPS commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 234 After you execute the fips mode enable command, the system provides two methods to enter FIPS mode: • Automatic reboot Select the automatic reboot method. The system automatically creates a default FIPS configuration file named fips-startup.cfg, specifies this file as the startup configuration file, and requires you to configure the username and password for next login.
Page 235: Fips Self-Test
Related commands display fips status fips self-test Use fips self-test to trigger a self-test on the cryptographic algorithms. Syntax fips self-test Views System view Predefined user roles network-admin Usage guidelines To examine whether the cryptography modules in FIPS mode operate correctly, you can use a command to trigger a self-test on the cryptographic algorithms.
Page 236 Known-answer test for AES passed. Known-answer test for random number generator passed. Known-Answer tests in the kernel passed. FIPS Known-Answer Tests passed.
Page 237: Ipsec Commands
IPsec commands IPsec commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to remove all specified authentication algorithms for the AH protocols.
Page 238: Description
Examples # Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1 with a 160-bit key. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1 description Use description to configure description for an IPsec policy, IPsec policy template, or IPsec profile. Use undo description to restore the default.
Page 239 network-operator Parameters ipv6-policy: Displays information about IPv6 IPsec policies. policy: Displays information about IPv4 IPsec policies. policy-name: Specifies an IPsec policy by its name, a case-sensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to 65535. Usage guidelines •...
Page 240 ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: ----------------------------- Sequence number: 1 Mode: manual ----------------------------- Description: This is my complete policy Security data flow: 3100 Remote address: 2.2.2.2 Transform set: completetransform Inbound AH setting: AH SPI: 5000 (0x00001388) AH string-key: ****** AH authentication hex key: Inbound ESP setting:...
Page 241 # Display information about all IPv6 IPsec policies. <Sysname> display ipsec ipv6-policy ------------------------------------------- IPsec Policy: mypolicy ------------------------------------------- ----------------------------- Sequence number: 1 Mode: manual ----------------------------- Description: This is my first IPv6 policy Security data flow: 3600 Remote address: 1000::2 Transform set: mytransform Inbound AH setting: AH SPI: 1235 (0x000004d3) AH string-key: ******...
Page 242: Display Ipsec { Ipv6-Policy-Template | Policy-Template
Field Description IPsec policy configuration incomplete. Possible causes include: • The ACL is not configured. • The IPsec transform set is not configured. • The policy configuration is incomplete The ACL does not have any permit statements. • The IPsec transform set configuration is not complete. •...
Page 243 Views Any view Predefined user roles network-admin network-operator Parameters ipv6-policy-template: Displays information about IPv6 IPsec policy templates. policy-template: Displays information about IPv4 IPsec policy templates. template-name: Specifies an IPsec policy template by its name, a case-sensitive string of 1 to 63 characters.
Page 244: Display Ipsec Profile
--------------------------------- Description: This is policy template Security data flow : IKE profile: None Remote address: 200::1/64 Transform set: testprop IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes Table 32 Command output Field Description IPsec Policy Template IPsec policy template name.
Page 245: Display Ipsec Sa
<Sysname> display ipsec profile ----------------------------------------------- IPsec profile: profile Mode: manual ----------------------------------------------- Description: Transform set: prop1 Inbound AH setting: AH SPI: 12345 (0x00003039) AH string-key: AH authentication hex key: ****** Inbound ESP setting: ESP SPI: 23456 (0x00005ba0) ESP string-key: ESP encryption hex-key: ****** ESP authentication hex-key: ****** Outbound AH setting: AH SPI: 12345 (0x00003039)
Page 246 Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs. interface interface-type interface-number: Specifies an interface by its type and number. ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy. policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec policy.
Page 247 Field Description Stateful failover status of the IPsec SA: active or backup. Status In standalone mode, "–" is displayed in this field. # Display the number of IPsec SAs. <Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs. <Sysname>...
Page 248 Status: active ------------------------------- Global IPsec SA ------------------------------- ----------------------------- IPsec profile: profile Mode: manual ----------------------------- Encapsulation mode: transport [Inbound AH SAs] SPI: 1234563 (0x0012d683) Transform set: AH-SHA1 No duration limit for this SA [Outbound AH SAs] SPI: 1234563 (0x002d683) Transform set: AH-SHA1 No duration limit for this SA Table 35 Command output Field...
Page 249: Display Ipsec Statistics
Field Description sour addr Source IP address of the data flow. dest addr Destination IP address, port Port number. protocol Protocol type. SPI of the IPsec SA. Transform set Security protocol and algorithms used by the IPsec transform set. SA duration (kilobytes/sec) IPsec SA lifetime, in kilobytes or seconds.
Page 250 Examples # Display statistics for all IPsec packets. <Sysname> display ipsec statistics IPsec packet statistics: Received/sent packets: 47/64 Received/sent bytes: 3948/5208 Dropped packets (received/sent): 0/45 Dropped packets statistics No available SA: 0 Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0...
Page 251: Display Ipsec Transform-Set
Field Description Invalid length Number of dropped packets due to invalid packet length. Authentication failure Number of dropped packets due to authentication failure. Encapsulation failure Number of dropped packets due to encapsulation failure. Decapsulation failure Number of dropped packets due to decapsulation failure. Replayed packets Number of dropped replayed packets.
Page 252: Display Ipsec Tunnel
Field Description State Whether the IPsec transform set is complete. Encapsulation mode Encapsulation mode used by the IPsec transform set: transport or tunnel. Security protocols used by the IPsec transform set: AH, ESP, or both. If both Transform protocols are configured, IPsec uses ESP before AH. AH protocol AH settings.
Page 253 Table 38 Command output Field Description Source IP address of the IPsec tunnel. Src Address For IPsec SAs created by using IPsec profiles, "–" is displayed in this field. Destination IP address of the IPsec tunnel. Dst Address For IPsec SAs created by using IPsec profiles, "–" is displayed in this field. Valid SPI in the inbound direction of the IPsec tunnel.
Page 254: Encapsulation-Mode
as defined in ACL 3100 # Display information about IPsec tunnel 1. <Sysname> display ipsec tunnel tunnel-id 1 Tunnel ID: 1 Status: active Perfect forward secrecy: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58)
Page 255 Syntax encapsulation-mode { transport | tunnel } undo encapsulation-mode Default IP packets are encapsulated in tunnel mode. Views IPsec transform set view Predefined user roles network-admin Parameters transport: Uses the transport mode for IP packet encapsulation. tunnel: Uses the tunnel mode for IP packet encapsulation. Usage guidelines IPsec supports the following encapsulation modes: Transport mode—The security protocols protect the upper layer data of an IP packet.
Page 256: Esp Authentication-Algorithm
esp authentication-algorithm Use esp authentication-algorithm to specify an authentication algorithm for ESP. Use undo esp authentication-algorithm to remove all authentication algorithms specified for ESP. Syntax In non-FIPS mode: esp authentication-algorithm { md5 | sha1 } * undo esp authentication-algorithm In FIPS mode: esp authentication-algorithm sha1 undo esp authentication-algorithm Default...
Page 257: Esp Encryption-Algorithm
esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP. Use undo esp encryption-algorithm to remove all encryption algorithms specified for ESP. Syntax In non-FIPS mode: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null } * undo esp encryption-algorithm In FIPS mode: esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*...
Page 258: Ike-Profile
[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 Related commands ipsec transform-set ike-profile Use ike-profile to specify an IKE profile for an IPsec policy or IPsec policy template. Use undo ike-profile to remove the configuration. Syntax ike-profile profile-name undo ike-profile Default An IPsec policy or IPsec policy template does not reference any IKE profile, and the device selects an IKE profile configured in system view for negotiation.
Page 259: Ipsec Anti-Replay Window
undo ipsec anti-replay check Default IPsec anti-replay checking is enabled. Views System view Predefined user roles network-admin Usage guidelines IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.
Page 260: Ipsec Decrypt-Check Enable
Usage guidelines Changing the anti-replay window size affects only the IPsec SAs negotiated later. In some cases, some service data packets might be received in a very different order than their original order, and the IPsec anti-replay function might drop them as replayed packets, affecting normal communications.
Page 261: Ipsec Df-Bit
Syntax ipsec logging packet enable undo ipsec logging packet enable Default Logging for IPsec packets is disabled. Views System view Predefined user roles network-admin Usage guidelines After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded due to, for example, lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure.
Page 262: Ipsec Global-Df-Bit
Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode. This command does not change the DF bit for the original IP headers of encapsulated packets. If multiple interfaces have referenced an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.
Page 263: Ipsec { Ipv6-Policy | Policy } (Interface View)
[Sysname] ipsec global-df-bit set Related commands ipsec df-bit ipsec { ipv6-policy | policy } (interface view) Use ipsec { ipv6-policy | policy } to apply an IPsec policy to an interface. Use undo ipsec { ipv6-policy | policy } to remove the application. Syntax ipsec { ipv6-policy | policy } policy-name undo { ipv6-policy | policy }...
Page 264 Syntax ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ] undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy.
Page 265: Ipsec { Ipv6-Policy | Policy } Isakmp Template
ipsec { ipv6-policy | policy } isakmp template Use ipsec { ipv6-policy | policy } isakmp template to create an IKE-based IPsec policy by referencing an IPsec policy template. Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy. Syntax ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]...
Page 266: Ipsec { Ipv6-Policy | Policy } Local-Address
ipsec { ipv6-policy | policy } local-address Use ipsec { ipv6-policy | policy } local-address to bind an IPsec policy to a source interface. Use undo ipsec { ipv6-policy | policy } local-address to remove the bindings of IPsec policies and source interfaces.
Page 267: Ipsec { Ipv6-Policy-Template | Policy-Template } Policy-Template
Related commands ipsec { ipv6-policy | policy } (system view) ipsec { ipv6-policy-template | policy-template } policy-template Use ipsec { ipv6-policy-template | policy-template } to create an IPsec policy template, and enter IPsec policy template view. Use undo ipsec { ipv6-policy-template | policy-template } to delete the specified IPsec policy template. Syntax ipsec { ipv6-policy-template | policy-template } template-name seq-number undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ]...
Page 268: Ipsec Profile
ipsec { ipv6-policy | policy } (system view) • • ipsec { ipv6-policy | policy } isakmp template ipsec profile Use ipsec profile to create an IPsec profile, and enter IPsec profile view. Use undo ipsec profile to delete the specified IPsec profile. Syntax ipsec profile profile-name [ manual ] undo ipsec profile profile-name...
Page 269: Ipsec Sa Idle-Time
Default The time-based global lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 bytes. Views System view Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.
Page 270: Ipsec Transform-Set
Views System view Predefined user roles network-admin Parameters seconds: Specifies the IPsec SA idle timeout, in the range of 60 to 86400 seconds. Usage guidelines This function applies only to IPsec SAs negotiated by IKE. The IPsec SA idle timeout can also be configured in IPsec policy view or IPsec policy template view, which takes precedence over the global IPsec SA timeout.
Page 271: Local-Address
<Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-transform-set-tran1] Related commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default. Syntax local-address { ipv4-address | ipv6 ipv6-address } undo local-address Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4...
Page 272: Protocol
Syntax In non-FIPS mode: pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 } undo pfs In FIPS mode: pfs dh-group14 undo pfs Default The PFS feature is disabled for the IPsec transform set. Views IPsec transform set view Predefined user roles network-admin Parameters...
Page 273: Qos Pre-Classify
undo protocol Default The IPsec transform set uses the ESP protocol. Views IPsec transform set view Predefined user roles network-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol. ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set.
Page 274: Remote-Address
[Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] qos pre-classify remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } undo remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } Default No remote IP address is specified for the IPsec tunnel.
Page 275: Reset Ipsec Sa
# Change the IP address for the host test to 2.2.2.2. [Sysname] ip host test 2.2.2.2 In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host. # Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
Page 276: Reset Ipsec Statistics
ipv6 ipv6-address: Specifies a remote IPv6 address. • • ah: Specifies the AH protocol. esp: Specifies the ESP protocol. • spi-num: Specifies the security parameter index in the range of 256 to 4294967295. • Usage guidelines If no parameters are specified, this command clears all IPsec SAs. If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPSec SAs using the other security protocol (AH or...
Page 277: Sa Duration
Predefined user roles network-admin Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id is 0 to 4294967295. If no tunnel ID is specified, the command clears all IPsec packet statistics. Examples # Clear all IPsec packet statistics.
Page 278: Sa Hex-Key Authentication
# Set the SA lifetime for the IPsec policy policy1 to 20 MB. The IPsec SA expires after transmitting 20480 bytes. <Sysname> system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480 Related commands • display ipsec sa ipsec sa global-duration •...
Page 279: Sa Hex-Key Encryption
Examples Configure plaintext authentication keys 0x1 12233445566778899aabbccddeeff00 0xaabbccddeeff001 100aabbccddeeff00 for the inbound and outbound SAs that use AH. <Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00 [Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00 Related commands display ipsec sa...
Page 280: Sa Idle-Time
If you configure a key in different formats (hexadecimal or character format), only the most recent configuration takes effect. The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel. For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Page 281: Sa Spi
<Sysname> system-view [Sysname] ipsec policy map 100 isakmp [Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600 Related commands display ipsec sa • ipsec sa idle-time • sa spi Use sa spi to configure an SPI for IPsec SAs. Use undo sa spi to remove the SPI. Syntax sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp }...
Page 282: Sa String-Key
Related commands display ipsec sa sa string-key Use sa string-key to set a key string (a key in character format) for manual IPsec SAs. Use undo sa string-key to remove the key string. Syntax sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key undo sa string-key { inbound | outbound } { ah | esp } Default No key string is configured for IPsec SAs.
Page 283: Security Acl
<Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef [Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab Related commands display ipsec sa • sa hex-key • security acl Use security acl to reference an ACL for an IPsec policy or IPsec policy template. Use undo security acl to remove the ACL referenced by an IPsec policy or IPsec policy template.
Page 284: Transform-Set
Examples # Reference ACL 3001 for the IPsec policy policy1. <Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Sysname-acl-adv-3001] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001 Related commands display ipsec sa •...
Page 285 <Sysname> system-view [Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] transform-set prop1 Related commands ipsec { ipv6-policy | policy } (system view) • • ipsec profile ipsec transform-set •...
Page 286: Ike Commands
IKE commands IKE commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax In non-FIPS mode: authentication-algorithm { md5 | sha }...
Page 287 Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles network-admin Parameters dsa-signature: Specifies the DSA signatures as the authentication method. pre-share: Specifies the pre-shared key as the authentication method.
Page 288: Display Ike Proposal
In FIPS mode: dh group14 undo dh Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group is used. Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group.
Page 289: Display Ike Sa
Usage guidelines This command displays the configuration information about all IKE proposals in the descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal. Examples # Display the configuration information about all IKE proposals. <Sysname>...
Page 290 network-operator Parameters verbose: Displays detailed information. connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range 1 to 2000000000. remote-address: Displays detailed information about IKE SAs with the specified remote address. ipv6: Specifies an IPv6 address. remote-address: Remote IP address.
Page 291 Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: HASH-SHA1 Encryption-algorithm: AES-CBC-192 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 14 NAT traversal: Not detected # Display detailed information about the IKE SA with the remote address of 4.4.4.5.
Page 292: Dpd
Field Description VPN instance name of the MPLS L3VPN to which the receiving interface Outside VPN belongs. VPN instance name of the MPLS L3VPN to which the protected data Inside VPN belongs. Name of the matching IKE profile found in the IKE SA negotiation. Profile If no matching profile is found, this field displays nothing.
Page 293: Encryption-Algorithm
Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. If the on-demand keyword is specified, this parameter specifies the number of seconds during • which no IPsec packet is received before DPD is triggered if the local has IPsec traffic to send. •...
Page 294: Exchange-Mode
Views IKE proposal view Predefined user roles network-admin Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 128-bit key for encryption.
Page 295: Ike Dpd
Views IKE profile view Predefined user roles network-admin Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines When the user (for example, a dial-up user) at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends that you set the IKE negotiation mode to aggressive at the local end.
Page 296: Ike Identity
on-demand: Sends DPD messages on demand. periodic: Sends DPD messages at regular intervals. Usage guidelines DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.
Page 297: Ike Invalid-Spi-Recovery Enable
user-fqdn user-fqdn-name : Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, abc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN. Usage guidelines The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile.
Page 298: Ike Keepalive Interval
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up. Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoS attack.
Page 299: Ike Keychain
Use undo ike keepalive timeout to restore the default. Syntax ike keepalive timeout seconds undo ike keepalive timeout Default The negotiated aging time for the IKE SA applies. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800.
Page 300: Ike Limit
Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
Page 301: Ike Nat-Keepalive
The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system. Examples # Set the maximum number of half-open IKE SAs to 200. <Sysname>...
Page 302: Ike Proposal
Syntax ike profile profile-name undo ike profile profile-name Default No IKE profile is configured. Views System view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile name, a case-sensitive string of 1 to 63 characters. Examples # Create IKE profile 1 and enter its view. <Sysname>...
Page 303: Ike Signature-Identity From-Certificate
Parameters proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal. Usage guidelines During IKE negotiation: • The initiator sends its IKE proposals to the peer. If the initiator is using an IPsec with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer.
Page 304: Inside-Vpn
If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration. Examples # Configure the local device to always obtain the identity information from the local certificate for signature authentication.
Page 305: Local-Identity
undo keychain keychain-name Default No IKE keychain is specified for an IKE profile. Views IKE profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains. An IKE keychain specified earlier has a higher priority.
Page 306: Match Local Address (Ike Keychain View)
dn: Uses the DN in the local certificate as the local ID. fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
Page 307: Match Local Address (Ike Profile View)
Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters.
Page 308: Match Remote
Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters.
Page 309 Views IKE profile view Predefined user roles network-admin Parameters certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID. The policy-name argument is a string of 1 to 31 characters. identity: Uses the specified information as the peer ID. The specified information is configured on the peer by using the local-identity command.
Page 310: Pre-Shared-Key
Related commands local-identity pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key to remove a pre-shared key. Syntax pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher cipher-key | simple simple-key } undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } Default...
Page 311: Priority (Ike Keychain View)
For security purposes, all pre-shared keys, including those configured in plain text, are saved in cipher text to the configuration file. Examples # Create IKE keychain key1 and enter IKE keychain view. <Sysname> system-view [Sysname] ike keychain key1 # Set the pre-shared key to be used for IKE negotiation with peer 1.1.1.2 to 123456. [Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456 Related commands...
Page 312: Priority (Ike Profile View)
priority (IKE profile view) Use priority to specify a priority for an IKE profile. Use undo priority to restore the default. Syntax priority number undo priority Default The priority of an IKE profile is 100. Views IKE profile view Predefined user roles network-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535.
Page 313: Reset Ike Sa
Predefined user roles network-admin Parameters proposal-number&<1-6>: Specifies up to six IKE proposal numbers, each in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority. Usage guidelines When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation. When acting as the responder, the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator.
Page 314: Sa Duration
# Delete the IKE SA with the connection ID 2. <Sysname> reset ike sa 2 # Display the current IKE SAs. <Sysname> display ike sa Total IKE SAs: Connection-ID Remote Flag ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal.
Page 315: Support And Other Resources
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • Technical support registration number (if applicable) • • Product serial numbers Error messages •...
Page 316: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 317 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 318: Index
Index A B C D E F G H I K L M N P Q R S T U V W accounting command,1 bind-attribute,21 accounting default,2 bye,171 accounting lan-access,3 accounting login,4 cd,171 accounting-on enable,30 cdup,172 authentication-algorithm,228 arp active-ack enable,213 arp detection enable,214 data-flow-format (HWTACACS scheme...
Page 319 display password-control,125 group,25 display password-control blacklist,126 display port-security,108 help,175 display port-security mac-address block,1 10 hwtacacs nas-ip,58 display port-security mac-address security,1 12 hwtacacs scheme,59 display public-key local public,143 display public-key peer,147 display radius scheme,32 dpd,286 display radius statistics,34 identity,287 display sftp client source,174 ike invalid-spi-recovery enable,288...
Page 320 key (HWTACACS scheme view),60 peer-public-key end,148 key (RADIUS scheme view),35 pfs,262 keychain,295 port-security authorization ignore,1 14 port-security enable,1 15 port-security intrusion-mode,1 15 ldap scheme,79 port-security mac-address security,1 16 ldap server,79 port-security max-mac-count,1 18 local-address,262 port-security ntk-mode,1 19 local-identity,296 port-security oui,1 19 local-user,25 port-security port-mode,120...
Page 321 reset ike sa,304 sftp server idle-timeout,163 reset ip source binding,203 ssh client ipv6 source,190 reset ipsec sa,266 ssh client source,191 reset ipsec statistics,267 ssh server acl,163 reset ipv6 source binding,204 ssh server authentication-retries,164 reset mac-authentication statistics,106 ssh server authentication-timeout,165 reset password-control blacklist,141 ssh server compatible-ssh1x enable,166...

HP 6125XLG Command Reference Manual

AAA Commands

802.1X Commands

MAC Authentication Commands

Port Security Commands

Password Control Commands

Public Key Management Commands

SSH Commands

IP Source Guard Commands

ARP Attack Protection Commands

Urpf Commands

FIPS Commands

Ipsec Commands

IKE Commands

Quick Links

Command Reference

Related Manuals for HP 6125XLG

Summary of Contents for HP 6125XLG