Zte ZXR10 Command Manual

Zte ZXR10 Command Manual

Router/ethernet switch
Hide thumbs Also See for ZXR10:
Table of Contents

Advertisement

ZXR10
Router/Ethernet Switch
Command Manual (Security Volume)
Version 4.8.22
ZTE CORPORATION
ZTE Plaza, Keji Road South,
Hi-Tech Industrial Park,
Nanshan District, Shenzhen,
P. R. China
518057
Tel: (86) 755 26771900
Fax: (86) 755 26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ZXR10 and is the answer not in the manual?

Questions and answers

Summary of Contents for Zte ZXR10

  • Page 1 ZXR10 Router/Ethernet Switch Command Manual (Security Volume) Version 4.8.22 ZTE CORPORATION ZTE Plaza, Keji Road South, Hi-Tech Industrial Park, Nanshan District, Shenzhen, P. R. China 518057 Tel: (86) 755 26771900 Fax: (86) 755 26770801 URL: http://ensupport.zte.com.cn E-mail: support@zte.com.cn...
  • Page 2 The contents of this document are protected by copyright laws and international treaties. Any reproduction or distribution of this document or any portion of this document, in any form by any means, without the prior written consent of ZTE CORPO- RATION is prohibited.
  • Page 3: Table Of Contents

    About This Manual..........i Command Introduction ........1 Manual Use Guide............1 Description of Man-Machine Commands ......1 Auxiliary Function ............2 Command Mode ............. 3 ACL Configuration..........7 acl standard..............8 acl extended ..............8 acl hybrid ..............9 acl link ................9 acl user-defined ............10 acl-log .................11 acl-stat ................11...
  • Page 4 rule (IPv6 Standard Format) ...........32 rule (IPv6 Extended Format) ...........33 show access-list alias .............34 show access-list bound...........34 show access-list brief .............35 show access-list config ...........35 show access-list senior bound .........35 show access-list senior vlan-bound ........36 show access-list used.............36 show acl...............36 show acl-statistics ............37 Network Security Configuration ......
  • Page 5 group................54 hash ................55 isakmp enable...............56 isakmp exchange-mode..........56 isakmp identity .............57 isakmp key ..............58 isakmp policy..............58 lifetime ................60 show isakmp exchange-mode..........61 show isakmp identity .............61 show isakmp key ............61 show isakmp policy............62 show isakmp sa.............63 IPSec IPv4 Network Safe commands....65 clear crypto ipsec sa ............65 clear crypto map ............66 crypto dynamic-map ............67...
  • Page 6 sad add................84 sad clear ..............85 sad delall..............86 sad delete ..............87 sad flush ..............87 show sad..............88 show spd..............89 spd add................90 spd delete ..............91 spd flush ..............93 SYN FLOOD Protection........95 tcp synflood-protect enable..........95 tcp synflood-protect defence ...........95 tcp synflood-protect disable ..........96 tcp synflood-protect max-connect ........97 tcp synflood-protect one-minute ........97 show tcp synflood-protect all...........98...
  • Page 7 local name..............109 mpls l2transport pwe3 extension ........109 mpls l2transport pwe3 extension reflector repeater ..110 new-random ............... 110 proxy-authentication............ 111 service-type..............111 show vpdn session............111 show vpdn tunnel ............111 source-ip..............112 user-vpdn-group ............112 virtual-template ............113 vlan-import ..............
  • Page 8 accounting-group max-retries ........130 accounting-group nas-ip-address ........130 accounting-group server..........131 accounting-group timeout..........131 accounting-group user-name-format ......132 accounting-group vendor ..........132 authentication-group............ 133 authentication-group algorithm ........133 authentication-group alias ..........134 authentication-group calling-station-format..... 134 authentication-group deadtime........135 authentication-group ip mng ......... 135 authentication-group ip vrf ...........
  • Page 9 localuser port.............. 150 localuser vlan.............. 151 nas................151 show aaa..............151 show client ..............154 show localuser ............155 Dot1x Configuration ........159 dot1x max-requests............. 159 dot1x quiet-period ............159 dot1x re-authentication ..........160 dot1x server-timeout ........... 160 dot1x supplicant-timeout ..........161 dot1x tx-period ............
  • Page 11: About This Manual

    Purpose operation of ZXR10 router and Ethernet switch. This manual is intended for engineers and technicians who perform Intended Audience operation activities on ZXR10 router and Ethernet switch. This manual contains the following chapters: What Is in This Manual Chapter...
  • Page 12 ZXR10 Router/Ethernet Switch Command Manual (Command Index Volume) � ZXR10 Router/Ethernet Switch Command Manual (Ethernet Switch Volume) � ZXR10 Router/Ethernet Switch Command Manual (Basic Con- figuration Volume I) � ZXR10 Router/Ethernet Switch Command Manual (Basic Con- figuration Volume II) �...
  • Page 13: Command Introduction

    To search a command, do as follows: 1. Find the desired command by referring to ZXR10 Router/Eth- ernet Switch Command Manual — Command Index. 2. Find command details by the volume, chapter/section and page of the obtained command.
  • Page 14: Auxiliary Function

    Do not describe the history command if this entry does not exist. Auxiliary Function The auxiliary function for ZXR10 devices is as follows. 1. In any command mode, enter a question mark (?) after the DOS prompt of the system, a list of available commands in the command mode will be displayed.
  • Page 15: Command Mode

    ENTER. The ^ is below the first character of the input incorrect command, keyword or parameter. 3. ZXR10 router/Ethernet switch allows the command or key- word to be abbreviated into a character or character string that uniquely identifies this command or keyword. For example, the show command can be abbreviated to sh or sho.
  • Page 16 <1~64 mode mode serial port >(GAR) and telnet connection Layer ZXR10(config- Global acl link Defines layer 2 ACL link-acl)# config- 2 ACL rule config- uration uration mode mode Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 17 Configures ospf OSPFv3 parameters ZXR10(config- Global ip vrf Configures config- vrf)# config- uration uration parameters mode mode VFI con- Global ZXR10(config- Configures figu- config- vfi)# VPLS related ration uration parameters mode mode Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 18 IPSec ZXR10(config- Global ipsec Configures config- config- ipsec)# IPv6 IPSec uration uration protection mode mode Diagno- Privi- diagnose Tests CPU ZXR10(diag)# sis mode leged and memory mode usage Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 19: Acl Configuration

    ............34 show access-list bound............34 show access-list brief ............35 show access-list config ............35 show access-list senior bound ..........35 show access-list senior vlan-bound ........36 show access-list used............36 show acl................36 show acl-statistics .............37 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 20: Acl Standard

    <acl-alias>} Syntax Description number <acl-numb Extended ACL number, range: 100~199 or er> 1500~1999 name <acl-name> Standard ACL name, not more than 31 characters alias <acl-alias> ACL alias, not more than 31 characters Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 21: Acl Hybrid

    Delete the configured Layer 2 ACL with no form of this command. Global configuration Command Modes acl link {number <acl-number>| name <acl-name>| alias <acl Syntax -alias>} no acl link {number <acl-number>| name <acl-name>| alias <acl-alias>} Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 22: Acl User-Defined

    Standard ACL name, not more than 31 characters alias <acl-alias> ACL alias, not more than 31 characters This command is only applied to ZXR10 T160G series. Instructions This example describes how to enter user defined ACL configura- Example tion mode.
  • Page 23: Acl-Log

    1~42949672955; time interval configured when timing the log, in seconds, range: 30~ 42949672955 � This command is applied only to ZXR10 GAR router and ZXR10 Instructions ZSR router. � When an ACL with the log is used for some interface, the first packet enabling the ACL rule with the log function will immedi- ately trigger a piece of log information.
  • Page 24: Attach

    ACL-statistics is disabled. clear Clears ACL packet statistics. � This command is applied only to ZXR10 GAR router and ZXR10 Instructions ZSR router. � Enables packet statistics. When linecard ACL is binded to the interface, and the packet is matching with ACL, the command show acl can view the matching packets.
  • Page 25: Clear-Acl-Statistics

    Command Modes clear-acl-statistics [<interface-name>] Syntax Syntax Description <interface-name> Interface name This command is applied to ZXR10 GAR, ZXR10 ZSR. Instructions This example describes how to clear log statistics information Example recorded by the ACL of the interface fei_1/1. ZXR10(config)#clear-acl-statistics fei_1/1 rule...
  • Page 26: Deny (Standard Format)

    Purpose tended IP access list. Delete the “deny” condition with the no form of this command. Extended ACL configuration Command Modes deny <protocol><source><source-wildcard>[<source-port>]<d Syntax estination><destination-wildcard>[<destination-port>][time-ra nge <timerange-name>][log] no deny <protocol><source><source-wildcard>[<source-port >]<destination><destination-wildcard>[<destination-port>][ti me-range <timerange-name>][log] Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 27 � Information-request, mask-reply, mask-request, parame- ter-problem, redirect, router-advertisement, router-solic- itation, source-quench, time-exceeded, timestamp-reply, timestamp-request, traceroute, unreachable TCP interface name: � BGP, domain, finger, FTP, login, pop2, pop3, SMTP, TELNET, UDP interface name: � Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 28: Deny (Ipv6 Standard Format)

    Use this command to configure the “deny” condition for an IPv6 Purpose extended IPv6 access list. Remove the “deny” condition with the no form of this command. IPv6 extended ACL configuration Command Modes Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 29: Ip Access-Group

    ACL name or alias Product Parameter Description ZXR10 T160G There is the out parameter; <acl-number > is 1~349, 1000~1999, 2000~2999, or 3000~3499 ZXR10 T64E/T128 There is the out parameter; <acl-number > is 1~199, 1000~1999 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 30: Ip Access-Groupipv6

    1~199, 1000~1999 ZXR10 ZSR There is the out parameter; <acl-number > is 1~199, 1000~1999 This command is the same as the one under Layer 2 VLAN of ZXR10 Instructions T160G. User-defined ACL is not supported, but IPv6 ACL is sup- ported.
  • Page 31: Ip Access-List

    This command supports layer-2 GEI, layer-2 FEI, layer-2 VLAN Instructions and smartgroup interface. � For ZXR10 T160G, this command is with out: acl-number can be 1~349, 1000~1999, 2000~2999, 3000~3499. This example describes how to use ACL1 in the egress of interface Example gei_1/1, use ACL101 in the ingress of interface gei_1/1.
  • Page 32: Ipv6 Acl Extended

    ACL with the no form of this command. Global configuration Command Modes ipv6 acl standard {number <acl-number>| name <acl-name>| Syntax alias <acl-alias>} no ipv6 acl standard {number <acl-number>| name <acl-na me>| alias <acl-alias>} Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 33: Move

    Layer 2 ACL configuration mode, hybrid ACL configuration mode, IPv6 ACL standard mode and IPv6 ACL extended mode name <acl-name> Syntax Syntax Description <acl-name> Alias of the ACL, not more than 31 characters Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 34: Permit (Standard Format)

    0.0.0.0 and the source wildcard 255.255.255.255 Logs the IP packets that meet this rule (available for ZXR10 GARZXR10 ZSR only) time-range Time range name, the length is not more than <timerange-name>...
  • Page 35: Permit(Extended Format)

    Time range name, the length is not more than <timerange-name> 31 characters Logs the IP packets that meet this rule (available for ZXR10GAR, ZXR10 ZSR only) This example describes how to allow accessing to a host on the Example specified network...
  • Page 36: Permit (Ipv6 Standard Format)

    Use this command to configure the permit conditions for an IPv6 Purpose extended access list. Remove the permit conditions with the no form of this command. IPv6 Extended ACL configuration Command Modes deny <protocol><source/prefix><destination/prefix>[time-ra Syntax nge <timerange-name>] no deny <protocol><source/prefix><destination/prefix>[time-r ange <timerange-name>] Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 37: Rule (Basic Acl)

    Event list name, not more than 31 characters If the time-range field is not configured, this rule will be effective Instructions permanently. The relevant time range command must be config- ured before the use of the time-range field. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 38: Rule (Extended Acl)

    ACL rule event list is only supported in T160G series switches. This example describes how to configure rules 1 and 10 of the Example basic ACL. ZXR10(config)#acl standard number 1 ZXR10(config-std-acl)#rule 1 permit 168.1.1.1 0.0.0.255 ZXR10(config-std-acl)#rule 10 permit any time-range test show acl Related Commands time-range event-list rule (Extended ACL) Use this command to define an extended ACL rule.
  • Page 39 The TCP or UDP port <port> can be a decimal numeral (1-65535) or a name. TCP port names: BGP, domain, finger, FTP, login, pop2, pop3, SMTP, TELNET and UDP port names: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 40: Rule (Layer 2 Acl)

    ZXR10(config-ext-acl)#rule 3 deny ip any 168.1.0.0 0.0.255.255 tos 1 precedence 1 ZXR10(config-ext-acl)#rule 4 permit tcp any eq bgp 168.1.1.0 0.0.0.255 eq domain established tos 1 precedence 7 ZXR10(config-ext-acl)#rule 5 deny udp any any dscp 5 time-range test show acl Related Commands...
  • Page 41: Rule (Hybrid Acl)

    ACL rule event list is only supported by T160G series switches. This example describes how to configure the Layer 2 ACL rule. Example ZXR10(config)#acl link number 1 ZXR10(config-link-acl)#rule 1 permit any cos 2 dinvlan-id 100 ingress 0011.1234.0000 0000.0000.0000 egress any show acl Related...
  • Page 42 Inside VLAN identifier doutervlan Outside VLAN identifier <vlan-id> <source-mac><sourc Source MAC address and wildcard mask e-mac-wildcard> <dest-mac><dest-ma Destination MAC address and wildcard mask c-wildcard> All source or destination addresses ingress Source MAC address keyword Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 43: Rule (User-Defined Acl)

    0000.0000.3230 0000.0000.0000 egress any ZXR10(config- hybd -acl)#rule 2 deny udp any 168.1.1.1 0.0.0.0 egress 1111.0000.0000 0000.ffff.ffff ZXR10(config- hybd -acl)#rule 3 permit tcp 168.1.1.1 0.0.0.255 eq ftp 168.1.2.2 0.0.0.255 eq telnet 1024 ingress 1111.aabb.cccc 0000.0000.ffff time-range test show acl Related...
  • Page 44: Rule (Ipv6 Standard Format)

    T160G series switches. This example describes how to configure the user-defined ACL rule Example 1 and 10. ZXR10(config)#acl user-defined number 3000 ZXR10(config-user-acl)#rule 1 permit segment1 2 8100206b 00000000 ZXR10(config-user-acl)#exit show acl Related Commands time-range...
  • Page 45: Rule (Ipv6 Extended Format)

    This example describes how to configure/edit Ipv6 standard ACL Example rule 1 and 10. ZXR10(config)#ipv6 acl standard number 1 ZXR10(config-std-v6acl)#rule 1 permit 1030::C9B4:FF12:48AA:1A2B/60 ZXR10(config-std-v6acl)#rule 1 deny 1030::C9B4:FF12:48AA:1A2B/60 ZXR10(config-std-v6acl)#rule 10 permit 1030::1000/90 time-range test show ipv6 acl Related Commands time-range event-list rule (IPv6 Extended Format) Use this command to define an IPv6 extended ACL rule.
  • Page 46: Show Access-List Alias

    ACL rule event list is only supported in T160G series switches. This example describes how to configure/edit IPv6 extended ACL Example rule 1 and 10. ZXR10(config-ext-v6acl)#rule 1 permit ip any 105A:1002::1000/100 ZXR10(config-ext-v6acl)#rule 1 deny ip any 105A:1002::1000/100 ZXR10(config-ext-v6acl)#rule 10 permit ip 1030::1000/90 102A:A002::1000/100 time-range test...
  • Page 47: Show Access-List Brief

    It supports NP2ACL bound to layer-2 GEI, layer-2 FEI and SmartGroup interface. All modes Command Modes show access-list senior bound [<interface-name>] Syntax Syntax Description <interface-name> Interface name This example describes how to display NP2ACL bound to all inter- Example faces. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 48: Show Access-List Senior Vlan-Bound

    Example name. ZXR10(config)#show access-list used show acl Use this command to display NP2ACL bound to the specified or all Purpose layer-2 VLAN interfaces. All modes Command Modes show acl [<acl-number>|<acl-name>[begin <rule number>]] Syntax Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 49: Show Acl-Statistics

    [<interface-name>] Syntax Syntax Description <interface-name> Interface name It is applied to ZXR10 GAR, ZXR10 ZSR. Instructions This example describes how to display log statistics information Example recorded by the ACL on the interface. ZXR10(config)# show acl-statistics fei_1/1 deny...
  • Page 50 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 51: Network Security Configuration

    ARP protection mode based on the whole limit-num <number> ARP protection threshold, range: 1~65535 There is not any ARP protection mode enabled by default. Defaults Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 52: Arp Source-Filtered

    There is no relevant configuration displayed after the use of the show running-config command. This example describes how to bind the ARP dynamic entries on Example the interface fei_1/1. ZXR10(config)#interface fei_1/1 ZXR10(config-if)#arp to-static show arp Related Commands show arp-to-static Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 53: Ip Verify

    {<1~199 Specifies the ACL number >|<1500~1999>} acl_name <name> Specifies the ACL name It is applied to ZXR10 GAR, ZXR10 GER and ZXR10 T64E/T128, Instructions ZXR10 T160G. This example describes how to enable the strict source routes URPF Example verification function on the interface.
  • Page 54: Show Radius

    Related Commands radius server retry-time radius server timeout show ssh Use this command to show configuration information about the Purpose SSH server. All modes except User EXEC Command Modes show ssh Syntax Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 55: Ssh Server Authentication Ispgroup

    This example describes how to set the authentication mode to Example PAP. ZXR10(config)#ssh server authentication mode pap � This example describes how to set the authentication mode to CHAP. ZXR10(config)#ssh server authentication mode chap Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 56: Ssh Server Authentication Mode

    Global configuration Command Modes ssh server enable Syntax no ssh server enable This command is disabled by default. Defaults This example describes how to enable the SSH server. Example ZXR10(config)#ssh server enable Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 57: Ssh Server Generate-Key

    Global configuration Command Modes ssh server version <version> Syntax Syntax Description <version> SSH server protocol version, range: 1~2, default: 2 This example describes how to set the SSH server protocol version Example to 2. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 58: Urpf Log

    Log switch, on/off, when it is on, the URPF log is enabled, and when it is off, the URPF log is disabled It is applied to ZXR10 GAR, ZXR10 GER and ZXR10 T64E/T128, Instructions ZXR10 T160G. This example describes how to enable the URPF log switch.
  • Page 59: Virus Scanning Configuration

    Description <packet> Virus scan alarm threshold on each port, unit: pkt/min, range: 60~30000, default: 200 � This command is applied to ZXR10 T240G/T160G/T64G/T40G Instructions and ZXR10 3900/3200 only. � It is used after the virus scan monitor is enabled. virus-scan protect...
  • Page 60: Virus-Scan Protect Shutdown-Port

    Manual restore It is manual restore by default. Defaults � This command is applied to ZXR10 T240G/T160G/T64G/T40G Instructions and ZXR10 3900/3200 only. � It is used after the virus scan monitor is enabled. If it is re- stored manually, the no shutdown command will be used on the shutdown port for restore.
  • Page 61 Enables the virus scan monitor function disable Disables the virus scan monitor function This command is disabled by default. Defaults This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 62 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 63: Internet Key Switching Protocol Commands

    ISAKMP negotiation pre-share authentication mode It is the pre-share authentication mode by default. Defaults � The platform version 4.8.01 and upgrade versions support the Instructions command. � It is implemented mainly on GAR currently. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 64: Commands

    : 86400 seconds ZXR10(config)#clear isakmp policy ZXR10(config)#show isakmp policy Protection suite of priority default encryption algorithm : 3des hash algorithm : sha1 authentication method : pre-share Diffie-Hellman group : group1 lifetime : 86400 seconds Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 65: Clear Isakmp Sa

    It is implemented mainly on GAR currently. The following example enables debug messages for ISAKMP. Example ZXR10#debug crypto isakmp detail ZXR10#show debug ISAKMP: debug crypto isakmp detail on ZXR10#debug crypto isakmp ZXR10#show debug IPSec: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 66: Encryption

    ZXR10(config-isakmp)# no encryption isakmp policy Related Commands show isakmp policy group Use this command to designate IKE Diffie Hellman (DH) exchange Purpose group. ISAKMP consultation policy configuration Command Modes group {1 | 2} Syntax Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 67: Hash

    It is supposed that IKE security policy “1” has been created on the Example router R1. This example described how to set the hash algorithm for the security policy. ZXR10(config)#isakmp policy 1 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 68: Isakmp Enable

    | aggressive IKE negotiation exchange mode, main or aggressive <peer-address> IP address of the ISAKMP negotiation peer <mask> Subnet mask of the ISAKMP negotiation peer It is main exchange mode by default. Defaults Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 69: Isakmp Identity

    This example describes how to set the IKE negotiation identity type Example on router R1. ZXR10(config)#isakmp identity hostname ZXR10(config)#isakmp identity address ZXR10(config)#show isakmp identity Isakmp local identity type : address ZXR10(config)#no isakmp identity isakmp identity Related Commands show Isakmp identity Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 70: Isakmp Key

    In this example, the IKE negotiation pre_share key is supposed to Example set on the router R1. ZXR10(config)#isakmp key 111 address 1.1.1.1 netmask 255.255.255.0 ZXR10(config)#isakmp key 11 address 1.1.1.3 netmask 255.255.255.252 ZXR10(config)#show isakmp key Address/Mask Preshared-Key 1.1.1.1/255.255.255.0...
  • Page 71 : sha1 authentication method : pre-share Diffie-Hellman group : group1 lifetime : 86400 seconds Protection suite of priority default encryption algorithm : 3des hash algorithm : sha1 authentication method : pre-share Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 72: Lifetime

    It is supposed that IKE security policy “1” has been created on Example the router R1. This example describes how to set the lifetime of ISAKMP Security Associations. ZXR10(config)#isakmp policy 1 ZXR10(config-isakmp)#lifetime 120 ZXR10(config-isakmp)#lifetime 240 ZXR10(config-isakmp)#no lifetime isakmp policy Related Commands show isakmp policy Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 73: Show Isakmp Exchange-Mode

    Related Commands isakmp identity hostname show isakmp key Use this command to display information about IKE negotiation Purpose pre_share key setting. All modes Command Modes show isakmp key{ip | fqdn} Syntax Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 74: Show Isakmp Policy

    : 86400 seconds Protection suite of priority default encryption algorithm : 3des hash algorithm : sha1 authentication method : pre-share Diffie-Hellman group : group1 lifetime : 86400 seconds isakmp policy Related Commands clear isakmp policy Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 75: Show Isakmp Sa

    N - NAT-Traversal C-id Local Port Remote Port Status Lifetime Cap. 4240 165.165.165.165 42405 165.165.165.165 165 clear isakmp sa Related Commands clear crypto ipsec sa show isakmp sashow isakmp sa show crypto ipsec sa Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 76 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 77: Ipsec Ipv4 Network Safe Commands

    Use this command to delete all ipsec sa. Purpose Privileged EXEC Command Modes clear crypto ipsec sa Syntax clear crypto ipsec sa peer <peer-address> clear crypto ipsec sa entry <destination-address><protocol ><spi><interface-name> Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 78: Clear Crypto Map

    Legal characters of security policy map name include alphabet, number and underline. And characters are not case sensitive. The policy type can not be modified; and the policy must be deleted before it is created. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 79: Crypto Dynamic-Map

    The sequence range is 1~65535. However, the number of dy- namic policies is not more than 60. The value of sequence number includes priority. The smaller the sequence number is, the larger the priority is. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 80: Crypto Ipsec Commit

    Global configuration Command Modes crypto ipsec pmtu discover Syntax no crypto ipsec pmtu discover This command is disabled by default. Defaults � The platform version 4.8.01 and upgrade versions support this Instructions command. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 81: Crypto Ipsec Sa Global-Lifetime

    ZXR10(config)#crypto ipsec sa global-lifetime kilobytes 5555 seconds 120 ZXR10(config)#show crypto ipsec sa-global-lifetime security association lifetime: 5555 kilobytes/120 seconds ZXR10(config)#no crypto ipsec sa global-lifetime show crypto map Related Commands show crypto ipsec sa-global-lifetime Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 82: Crypto Ipsec Transform-Set

    Use this command to set the transform set encapsulation mode Purpose when the transform set exists. Global configuration Command Modes crypto ipsec transform-set <transform-set-name> encapsula Syntax tion-mode {transport | tunnel} no crypto ipsec transform-set <transform-set-name> encaps ulation-mode Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 83: Crypto Map

    Legal characters of the security policy map name include al- phabet, number and underline. The character is not case sen- sitive. Policy type can not be changed. It is only deleted and then created. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 84: Crypto Map

    ZXR10(config)#interface fei_1/1 ZXR10(config-if)#crypto map mymap ZXR10#show run in fei_1/1 Building configuration... interface fei_1/1 ip address 1.1.1.66 255.255.255.0 negotiation auto crypto map mymap show running-config interface Related Commands crypto map Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 85: Crypto Map Isakmp Dynamic

    This example describes how to create an IPSec security policy Example named mymap and set a static map binding dynamic maps. ZXR10(config)#crypto map mymap 123 isakmp dynamic dynmap ZXR10(config-crypto-map)#show cry map mymap 123 Crypto Map “mymap“ 123 ipsec-isakmp:...
  • Page 86: Debug Crypto Ipsec

    In this example, IPSec packets are enabled to be sent/received. Example ZXR10(config)#enable ipsec enable ipsec Related Commands match address Use this command to designate an access list for some policy. Purpose Dynamic security configuration and IKE security configuration Command Modes Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 87: Set Peer

    Instructions command. � It is implemented mainly on GAR currently. � The policy must have been created before the use of this com- mand. This command cannot be used for the dynamic map. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 88: Set Pfs

    ZXR10(config-crypto-map)#set pfs group1 ZXR10(config-crypto-map)#set pfs group2 ZXR10(config-crypto-map)#no set pfs show crypto map Related Commands crypto map set pfslevel Use this command to designate perfect forward secrecy (PFS) pro- Purpose tection type for policy. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 89: Set Sa Lifetime

    The policy of manual type can not use this command. Lifetime range is: 120864000 (in seconds), or 2564294900000 (in kilo- bytes). This example described how to create an IPSec security policy Example named and designate the lifetime for this policy. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 90: Set Session-Key

    Example policy named mymap and manually specify the IP Security session keys and security parameter index (SPI) for security associations. ZXR10(config)#crypto ipsec transform-set mytrs esp-des ZXR10(config)#crypto map mymap 123 manual ZXR10(config-crypto-map)#set transform-set mytrs Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 91: Set Transform-Set

    Related Commands show crypto ipsec transform-set show crypto dynamic-map Use this command to display the specific configuration policy or all Purpose configured policies. All modes Command Modes show crypto dynamic-map [dynamic-map-name][dynamic- Syntax seq-number] Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 92: Show Crypto Ipsec Transform-Set

    Use this command to display the specific configured transform set Purpose or all configured transform sets. All modes Command Modes show crypto ipsec transform-set [transform-set-name] Syntax Syntax Description transform-set-n Transform set name, less than 18 characters Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 93: Show Crypto Ipsec Sa Global-Lifetime

    IPSsec security associations. All modes Command Modes show crypto ipsec sa [map <map-name>| address <peer-ip- Syntax address>] Syntax Description <map-name> Policy name, less than 18 characters <peer-ip-address> Security peer IP address Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 94 : encryption algorithm : des encapsulation mode : tunnel throughput : 0KB outbound ah sa: clear isakmp sa Related Commands clear crypto ipsec sa show isakmp sa show crypto ipsec sa Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 95: Ipsec Ipv6 Network Security Commands

    This example describes how to enter IPv6 IPSec configuration Example mode. ZXR10(config)#ipsec ZXR10(config-ipsec)#exit ZXR10(config)# sad add Related Commands sad clear sad delete sad delall sad flush spd add spd delete spd flush Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 96: Sad Add

    FLASH and it will not take effect after the sys- tem is restarted. If the configured security association needs to be effective after the system is restarted, the security asso- ciation must be configured to be permanently effective. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 97: Sad Clear

    This example describes how to reset all dynamic parameters of Example the security association adopting security protocol AH with the source IPv6 address as fe80::2d0:d0ff:fec0:680, destination IPv6 address as fe80::2d0:d0ff:fec4:ff40. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 98: Sad Delall

    AH with the source IPv6 address as fe80::2d0:d0ff:fec0:680 and destination IPv6 address as ff02::5. ZXR10(config)#ipsec ZXR10(config-ipsec)#sad delall fe80::2d0:d0ff:fec0:680 ff02::5 ah ipsec Related Commands sad add sad clear sad delete sad flush spd add spd delete spd flush show sad Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 99: Sad Delete

    Use this command to clear all configured security associations. Purpose IPSec configuration Command Modes sad flush Syntax Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 100: Show Sad

    31323334 35363738 39303132 33343536 seq=0x00000000 replay=8 state=mature addtime: 1000(s) usetime: 1000(s) lapse: 48(s) 3ffe::1 3ffe::2 ah mode=transport spi=5500(0x0000157c) reqid=10(0x0000000a) A: hmac-sha1 key:31323334 35363738 39303132 33343536 37383930 seq=0x00000000 replay=8 state=mature addtime: 1000(s) usetime: 1000(s) lapse: 81(s) Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 101: Show Spd

    This example describes how to display the configured security pol- Example icy database. ZXR10(config)#ipsec ZXR10(config-ipsec)#show spd 3ffe::1/64 [any] 3ffe::2/64 [bgp-port] bgp in ipsec ah/transport//use spid=10 3ffe::1/64 3ffe::2/64 ospf in ipsec ah/transport//use spid=101 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 102: Spd Add

    Destination port corresponding to BGP4+ in| out SP direction, incoming or outgoing ipsec Identifies the IPSec policy is applied Identifies the AH security protocol used for encapsulation transport Identifies the transmission mode Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 103: Spd Delete

    Related Commands sad add sad clear sad delete sad delall sad flush spd delete spd flush show sad show spd spd delete Use this command to delete the IPSec security policy. Purpose Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 104 IPSec security policy is deleted. ZXR10(config)#ipsec ZXR10(config-ipsec)#spd delete fe80::2d0:d0ff:fec0:680/64 ff02::5/64 ospf out ipsec ZXR10(config-ipsec)#spd delete 100 ipsec Related Commands sad add sad clear sad delete sad detail sad flush spd add spd flush Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 105: Spd Flush

    This example describes how to clear all configured SPDs. Example ZXR10(config)#ipsec ZXR10(config-ipsec)#spd flush ipsec Related Commands sad add sad clear sad delete sad delall sad flush spd add spd delete show sad show spd Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 106 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 107: Syn Flood Protection

    Use this command to configure syn flood defence policy and some Purpose defence parameters. Use the no form of this command to restore the default value. Protect configuration Command Modes synflood-protect defence <type>[[waittime <time Syntax >][num <num>]] no tcp synflood-protect defence Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 108: Tcp Synflood-Protect Disable

    To speed up tcp connection ageing and delete the earliest half- Example connection, the example describes how to set ageing time to 10 seconds and delete 3 half-connections. ZXR10(config)#protect ZXR10(config-protect)#tcp synflood-protect defence 0 time 10 num 3 tcp synflood-protect max-connect Related Commands tcp synflood-protect one-minute tcp synflood-protect disable Use this command to disable syn flood.
  • Page 109: Tcp Synflood-Protect Max-Connect

    This example describes how to configure the higher threshold to Example 78 and the lower threshold to 33. ZXR10(config)#protect ZXR10(config-protect)#tcp synflood-protect max-connect high 78 low 33 tcp synflood-protect defence Related Commands tcp synflood-protect one-minute...
  • Page 110: Show Tcp Synflood-Protect All

    This example describes how to configure the higher threshold to Example 68 and the lower threshold to 23. ZXR10(config)#protect ZXR10(config-protect)#tcp synflood-protect one-minute high 68 low 23 tcp synflood-protect max-connect Related Commands tcp synflood-protect defence...
  • Page 111: Show Tcp Synflood-Protect Config

    30 (seconds) old-half-connect is 1 max-connect high limit is 90% max-connect low limit is 60% one-minute high limit is 80% one-minute low limit is 50% The description of each area is shown below. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 112: Show Tcp Synflood-Protect Statistics

    MTU option in packet too big message. It indicates that MTU value thee pah supports Since Time since the buffer is created Timeout Time before the buffer entry expires Dest Destination address Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 113 Chapter 8 SYN FLOOD Protection show tcp synflood-protect all Related Commands show tcp synflood-protect statistics Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 114 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 115: Bfd Configuration

    BFD supports as 1 bfd interval Use this command to configure interface Bidirectional Forwarding Purpose Detection (BFD) parameters. Interface configuration Command Modes bfd interval <interval> min_rx <min_rx> multiplier <multipli Syntax er> Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 116: Show Bfd Neighbors Brief

    Use this command to display information about RSVP BFD sessions Purpose (LSP FEC, local/remote identifier, session status, configuration in- terface). Privileged EXEC and show command Command Modes show bfd neighbors rsvp-lsp Syntax Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 117: L2Tp Configuration

    Use this command to clear the designated tunnel and specify a Purpose session in the tunnel. Privileged EXEC Command Modes clear vpdn tunnel {local-tunnel-id <tunnel-id>[session-id Syntax <session-id>]| remote-name <remote-name>[session-id <session-id>]} Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 118: Force-Local-Chap

    50 l2tp hidden Use this command to configure control packets whether to hide Purpose attribute-value pair (AVP) when they are transmitted. VPDN group configuration Command Modes l2tp hidden Syntax no l2tp hidden Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 119: L2Tp Sequence

    Use this command to configure the tunnel authentication key. Purpose VPDN group configuration Command Modes l2tp tunnel password <password> Syntax no l2tp tunnel password Syntax Description <password> Tunnel authentication key, in bytes, range: 3~32 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 120: L2Tp Tunnel Receive-Windows

    1~10, default: 5 seconds l2tp tunnel timeout Use this command to configure the maximum idle timeout time of Purpose the tunnel. VPDN group configuration Command Modes l2tp tunnel timeout <time> Syntax no l2tp tunnel timeout Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 121: Lcp Renegotiation

    129 FEC TLV cod- ing/encoding and pwe3 extension functions are supported. Global configuration Command Modes mpls l2transport pwe3 extension Syntax no mpls l2transport pwe3 extension This command is disabled by default. Defaults Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 122: Mpls L2Transport Pwe3 Extension Reflector Repeater

    This example describes how to configure to support the repeater Example reflector. ZXR10(config)#mpls l2transport pwe3 extension reflector repeater mpls l2transport pwe3 extension Related Commands show running-config...
  • Page 123: Proxy-Authentication

    Syntax show vpdn tunnel Use this command to display information about the VPDN tunnel. Purpose Privileged EXEC Command Modes show vpdn tunnel {all | local-tunnel-id <tunnel-id>[local-se Syntax ssion <session-id>]| remote-name <remote-name>[local-ses sion <session-id>]} Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 124: Source-Ip

    This example describes how to bind the user group ugl with the Example vpdn group vgl and make ugl be the VPDN authentication user. ZXR10(config)#user-group special ug1 username user1 password pass1 ZXR10(config)#vpdn-group vg1 ZXR10(config)#user-vpdn-group user-group ug1 vpdn-group vg1 user-group...
  • Page 125: Virtual-Template

    The sequence of VLAN ID1 and VLAN ID2 does not affect the function. This example describes how to configure vlan 100 and vlan 200 to Example intercommunicate with each other. ZXR10(config)#vfi vfi1 ZXR10(config-vfi)#vcid 100 ZXR10(config-vfi)#vlan-import 100 200 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 126: Vpdn Default Vpdn-Group

    (fragments are generated after the encapsulation of L2TP). If the client does not support the MTU redirection function, , fast forwarding must be disabled to forward packets. However, forwarding performance is severely degraded consequently. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 127: Vpdn Radius-Authentication Vpdn-Group

    Global configuration Command Modes vpdn-group <group-name> Syntax no vpdn-group <group-name> Syntax Description <group-name> Name of the group, in bytes, range: 1~32 This example describes how to create a VPDN group. Example ZXR10(config)#vpdn-group vg1 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 128 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 129: Tacacs+ Configuration

    Accounting is not conducted This example describes how to configure tacacs+ command ac- Example counting with CLI authorization level 15 by using tacacs+ server group tacNtTac. ZXR10(config)#aaa accounting commands 15 default stop-only group tacNtTac Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 130: Aaa Authentication

    TACACS+ server group tacNtTac. Similarly, when TACACS+ server group is invalid, use local authen- tication. ZXR10(config)#aaa authentication enable default local group tacNtTac ZXR10(config)#no aaa authentication enable default ZXR10(config)#aaa authentication enable default group tacNtTac local tacacs enable...
  • Page 131: Aaa Group-Server Tacacs

    1. This example describes how to configure the command shell au- Example thorization method list with TACACS+server group tacNtTac. ZXR10(config)#aaa authorization exec default group tacNtTac tacacs enable Related Commands aaa group-server tacacs+...
  • Page 132: Server

    Use this command to configure TACACS+ client IP address, which Purpose is used for communication between ZXR10 router/switch and TACACS+ server. Delete this configuration with the no form of this command. Global configuration Command Modes tacacs-client <ip-addr>[port <port-number>]...
  • Page 133: Tacacs Disable

    Delete this configuration with the no form of this command. Global configuration Command Modes tacacs-server host <ip-addr>[port <integer>][timeout <integ Syntax er>][key <string>] no tacacs-server host <ip-addr>[port <integer>] Syntax Description <ip-addr> TACACS+ server IP address port TACACS+ server port number, default: 49 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 134: Tacacs-Server Key

    Use this command to configure the maximum packet length of Purpose TACACS+ protocol. The default length is 1024 bytes. Restore the default setting with the no form of this command. Global configuration Command Modes tacacs-server packet < length> Syntax no tacacs-server packet Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 135: Tacacs-Server Timeout

    Syntax Description <seconds> Overtime time, in seconds, range: 1~1000, default: 5 seconds This example describes how to configure TACACS+ server over- Example time to 10 seconds. ZXR10(config)#tacacs-server timeout 10 tacacs enable Related Commands Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 136 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 137: Radius Configuration

    Use this command to enter RADIUS accounting server group con- Purpose figuration mode. Global configuration Command Modes radius accounting-group <group-number> Syntax Syntax Description <group-number> Group name of RADIUS accounting sever group, range: 1~10 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 138: Accounting-Group Algorithm

    A unique ASCII string alias, it can be any character or number string (space not included), not more than 32 characters This example describes how to set accounting sever group alias to Example acc_grp1. ZXR10(config)#radius accounting-group 1 ZXR10(config-acctgrp-1)#alias acc_grp1 ZXR10(config-acctgrp-1)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 139: Accounting-Group Calling-Station-Format

    RADIUS server This example shows how to set the time when the RADIUS ac- Example counting sever group is invalid to 3 minutes. ZXR10(config)#radius accounting-group 1 ZXR10(config-acctgrp-1)#deadtime 3 ZXR10(config-acctgrp-1)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 140: Accounting-Group Ip Mng

    VRF defines. Remove the association with the no form of this command This example shows how to RADIUS associate the accounting Example server group with VRF1. ZXR10(config)#radius accounting-group 1 ZXR10(config-acctgrp-1)#ip vrf vrf1 ZXR10(config-acctgrp-1)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 141: Accounting-Group Interim-Packet-Quota

    Description enable | disable enable: enables accounting local buffer disable: disables accounting local buffer This example describes how to set accounting server group with Example local buffer. ZXR10(config)#radius accounting-group 1 ZXR10(config-acctgrp-1)#local-buffer enable ZXR10(config-acctgrp-1)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 142: Accounting-Group Max-Retries

    Syntax Description <ipaddress> NAS—IP—Address of the RADIUS accounting sever group This example describes how to configure the NAS—IP—Address of Example the RADIUS accounting server group to 192.168.70.2. ZXR10(config)#radius accounting-group 1 ZXR10(config-acctgrp-1)#nas-ip-address 192.168.70.2 ZXR10(config-acctgrp-1)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 143: Accounting-Group Server

    1025~65535, default: authentication server group 1813 This example describes how to set server 1 192.168.70.5 as the Example master server, and the share key to zte, the port to1813. ZXR10(config)#radius accounting-group 1 ZXR10(config-acctgrp-1)#server 1 192.168.70.5 master key zte port 1813...
  • Page 144: Accounting-Group User-Name-Format

    RADIUS accounting sever group configuration Command Modes vendor {enable | disable} Syntax Syntax Description enable | disable enable: enables the attribute self-defined by the vendor; disable: disables the attribute self-defined by the vendor Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 145: Authentication-Group

    RADIUS sever. Default: first This example describes how to set RADIUS sever group 1 select Example algorithm to round-robin. ZXR10(config)#radius accounting-group 1 ZXR10(config-authgrp-1)#algorithm round-robin ZXR10(config-authgrp-1)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 146: Authentication-Group Alias

    <number> Syntax Syntax Description <number> Range 1~2, default: 1 This example describes how to configure the definition of the call- Example ing-station-id field format to 2. ZXR10(config)#radius accounting-group 1 ZXR10(config-authgrp-1)#calling-station-format 2 ZXR10(config-authgrp-1)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 147: Authentication-Group Deadtime

    Instructions this command must be configured. � The management port is not used by default. This example shows how to make the RADIUS authentication Example server group use the management port for authentication. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 148: Authentication-Group Ip Vrf

    Maximum timeout retries of the BRAS to transmit authentication information, namely, the maximum times of BRAS’s retransmitting authentication information when authentication information is transmit to the RADIUS server and there is no normal response, range: 1~255, default: 3 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 149: Authentication-Group Nas-Ip-Address

    <servernum> Syntax Description <servernum> Server number, range: 1~4 <ipaddress> Server IP address master Optional parameter, this server is the master server, there is only one master server in one authentication sever group Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 150: Authentication-Group Timeout

    1812 This example describes how to configure authentication sever Example group 1 192.168.70.5 to the master sever, the shared key to zte, the server port is 1812. ZXR10(config)#radius accounting-group 1 ZXR10(config-authgrp-1)#server 1 192.168.70.5 master key zte port 1812...
  • Page 151: Authentication-Group Vendor

    Related Commands radius auto-change Use this command to configure telnet to change to local authenti- Purpose cation after the RADIUS authentication timeout. Global configuration Command Modes radius auto-change {on | off} Syntax Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 152: Show Configuration Radius All

    1 alias acc_grp1 ip vrf vrf1 server 1 192.168.70.5 master key zte port 1813 algorithm first timeout 5 max-retries 10 deadtime 3 calling-station-format 2 nas-ip-address 192.168.70.2 user-name-format include-domain vendor enable local-buffer enable ZXR10(config)# Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 153: Aaa Configuration

    <rule-id> accounting {enable | disable} Syntax Syntax Description <rule-id> Rule identifier, range: 1~512 This command is applied to T240G/T160G/T64G/T40G and ZXR10 Instructions 3900/3200 only. This example describes how to enable the accounting function of Example access control rule 1.
  • Page 154: Aaa Authentication

    Authentication through local authentication server radius Authentication through the RADIUS authentication server This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to configure the authentication mode Example of access control rule 1 to local authentication.
  • Page 155: Aaa Control

    Rule identifier, range: 1~512 dot1x Ieee 802.1x access control dot1x-relay Ieee 802.1x relay This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to activate the dot1x access control Example of access control rule 1.
  • Page 156: Aaa Fullaccount

    <rule-id> fullaccount {enable | disable} Syntax Syntax Description <rule-id> Rule identifier, range: 1~512 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to enable the user name to carry ISP Example name in access control rule 1.
  • Page 157: Aaa Keepalive

    <host-number> Maximum number of access users under the rule, range: 0~2048, the maximum value: 2048, default: 0 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to activate 10 access users in access Example control rule 1.
  • Page 158: Aaa Protocol

    <rule-id> protocol {pap | chap | eap-md5} Syntax Syntax Description <rule-id> Rule identifier, range: 1~512 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to configure the authentication pro- Example tocol of access control rule 1 to PAP.
  • Page 159: Clear Aaa

    Command Modes clear aaa <rule-id> Syntax Syntax Description <rule-id> Rule identifier, range: 1~512 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to clear access rule 1. Example ZXR10(config)#nas ZXR10(config-nas)#clear aaa 1 create aaa...
  • Page 160: Clear Localuser

    <user-id> Syntax Syntax Description <user-id> Local authentication user identifier, range: 1~1024 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to clear local authentication user 1. Example ZXR10(config)#nas ZXR10(config-nas)#clear localuser 1...
  • Page 161: Create Localuser

    Local authentication user name, the length is: 3~32 <user-password> Local authentication user password, the length is: 1~16 This command is applied to T240G/T160G/T64G/T40G and ZXR10 Instructions 3900/3200 only. This example describes how to create local authentication user 1 Example named zte and set the password to zte.
  • Page 162: Localuser Mac

    Local authentication user identifier, range: 1~1024 <mac-address> Local authentication user MAC address, in the format of XXXX.XXXX.XXXX This command is applied to T240G/T160G/T64G/T40G and ZXR10 Instructions 3900/3200 only. This example describes how to configure the MAC address of local Example authentication user 1 to 0011.D87A.D580.
  • Page 163: Localuser Vlan

    Description <user-id> Local authentication user identifier, range: 1~1024 <vlan-id> VLAN identifier, range: 1~4094 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. This example describes how to configure local authentication user Example 1 to VLAN 2. ZXR10(config)#nas...
  • Page 164 ZXR10 Command Manual (Security Volume) Syntax Description <rule-id> Rule identifier, range: 1~512 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. � This example describes how to display all access control rules. Example ZXR10#show aaa MaxAaaRules : 512...
  • Page 165 Maximum number of hosts under this rule create aaa Related Commands aaa accounting aaa authentication aaa authorization aaa control aaa default-isp aaa fullaccount aaa groupname aaa keepalive aaa multiple-hosts aaa protocol aaa radius-server clear aaa Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 166: Show Client

    <rule-id> Rule identifier, range: 1~512 <mac-address> MAC address <client-index> Client index, range: 0~2047 This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. � This example describes how to display all users logging from Example the interface fei_2/1.
  • Page 167: Show Localuser

    Related Commands show localuser Use this command to display local authentication user. Purpose All modes except user EXEC Command Modes show localuser [<user-id>] Syntax Syntax Description <user-id> Local authentication user identifier, range: 1~1024 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 168 ZXR10 Command Manual (Security Volume) This command is applied to ZXR10 T240G/T160G/T64G/T40G and Instructions ZXR10 3900/3200 only. � This example describes how to display all local authentication Example users. ZXR10#show localuser MaxLocalUsers : 1024 HistoryConfigTotal: 3 CurrentConfigTotal: 3 Id UserName PassWord Port Vlan MacAddress...
  • Page 169 MAC address of the authentication user Accounting Whether the accounting is enabled for the user IpAddress IP address of the authentication user create localuser Related Commands localuser accounting localuser mac localuser port localuser vlan clear localuser Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 170 ZXR10 Command Manual (Security Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 171: Dot1X Configuration

    Maximum number of requests sent by the access control to the client, range: 1~10, default : 2 This command is applied to ZXR10 T160G/T64G/T40G and ZXR10 Instructions 3900/3200 only. This example describes how to set the maximum number of the Example requests sent by the authentication system to the client to 5.
  • Page 172: Dot1X Re-Authentication

    Period when there is no response for this client after the client authentication fails, in seconds, range: 0~65535, default: 60 seconds This command is applied to ZXR10 T160G/T64G/T40G and ZXR10 Instructions 3900/3200 only. This example describes how to set the quiet period of the access Example control to 30 seconds.
  • Page 173: Dot1X Supplicant-Timeout

    Chapter 14 Dot1x Configuration This command is applied to ZXR10 T160G/T64G/T40G and ZXR10 Instructions 3900/3200 only. This example describes how to set the timeout of the access control Example to wait for the authentication server response to 60 seconds. ZXR10(config)#nas...
  • Page 174: Show Dot1X

    Purpose trol. All modes except user EXEC Command Modes show dot1x Syntax This command is applied to ZXR10 T160G/T64G/T40G and ZXR10 Instructions 3900/3200 only. This example describes how to show the global parameters of the Example access control. ZXR10#show dot1x...
  • Page 175: Cpu Protection Configuration

    This example describes how to enable and then disable the debug Example function of defending the DOS attack on the interface fei_1/1. ZXR10#debug port-upsend fei_1/1 ZXR10#no debug port-upsend fei_1/1 ZXR10#debug port-upsend fei_1/1 ZXR10#no debug port-upsend Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 176: Port-Upsend

    ATM interface, ATM sub-interface. � POS interface, pos sub-interface ,Mppp interface. � � In addition, the method damping for defending the DOS attack needs new additional requirements to accomplish the following functions (CRDCR00213525). Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 177 ZXR10(config-if)#port-upsend 100 6 10 all � This example describes how to make the sub_interface never inherit the port-upsend attribute of the parent interface. ZXR10(config-subif)#port-upsend no-application show run interface <interface_name> Related Commands Confidential and Proprietary Information of ZTE CORPORATION...

Table of Contents

Save PDF