Page 1: Command Reference
HP 6600/HSR6600 Routers Security Command Reference Part number: 5998-1514 Software version: A6602-CMW520-R3103 A6600-CMW520-R3102-RPE A6600-CMW520-R3102-RSE HSR6602_MCP-CMW520-R3102 Document version: 6PW103-20130628...
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Page 3: Table Of Contents
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limit enable ··················································································································································· 1 accounting command ··············································································································································· 2 accounting default ···················································································································································· 3 accounting dvpn ······················································································································································· 4 accounting lan-access ··············································································································································...
Page 4 expiration-date ······················································································································································· 49 group ······································································································································································ 50 group-attribute allow-guest ··································································································································· 51 local-user ································································································································································ 51 password ································································································································································ 52 service-type ····························································································································································· 54 state (local user view) ············································································································································ 55 user-group ······························································································································································ 55 validity-date ···························································································································································· 56 RADIUS configuration commands ································································································································...
Page 5 reset hwtacacs statistics ······································································································································ 109 reset stop-accounting-buffer (for HWTACACS) ································································································ 110 retry stop-accounting (HWTACACS scheme view) ·························································································· 111 secondary accounting (HWTACACS scheme view) ························································································ 112 secondary authentication (HWTACACS scheme view) ··················································································· 113 secondary authorization ····································································································································· 114 ...
Page 6 display portal interface ······································································································································· 164 display portal server ··········································································································································· 165 display portal server statistics ···························································································································· 166 display portal tcp-cheat statistics ······················································································································· 169 display portal user ··············································································································································· 170 portal auth-network ·············································································································································· 172 portal auth-network destination ·························································································································· 173 ...
Page 7 password-control authentication-timeout ··········································································································· 219 password-control complexity ······························································································································ 220 password-control composition ···························································································································· 220 password-control enable ····································································································································· 222 password-control expired-user-login ·················································································································· 222 password-control history ····································································································································· 223 password-control length ······································································································································ 223 password-control login idle-time ························································································································ 225 ...
Page 8 pki certificate attribute-group ····························································································································· 263 pki delete-certificate ············································································································································ 264 pki domain ··························································································································································· 264 pki entity ······························································································································································· 265 pki import-certificate ············································································································································ 266 pki request-certificate domain ···························································································································· 266 pki retrieval-certificate ········································································································································· 267 pki retrieval-crl domain ······································································································································· 268 ...
Page 9 transform······························································································································································· 321 transform-set ························································································································································· 321 tunnel local ··························································································································································· 322 tunnel remote ······················································································································································· 323 IKE configuration commands ·································································································································· 325 authentication-algorithm ····································································································································· 325 authentication-method ········································································································································· 325 certificate domain ················································································································································ 326 dh ·········································································································································································· 327 display ike dpd ····················································································································································...
Page 10 cdup ······································································································································································ 363 delete ···································································································································································· 363 dir ·········································································································································································· 364 display sftp client source····································································································································· 365 display ssh client source ····································································································································· 365 display ssh server-info ········································································································································· 366 exit ········································································································································································ 367 get ········································································································································································· 367 help ······································································································································································· 368 ...
Page 11 firewall ipv6 enable ············································································································································ 406 firewall packet-filter ············································································································································· 406 firewall packet-filter ipv6 ···································································································································· 407 reset firewall ipv6 statistics ································································································································· 408 reset firewall-statistics ·········································································································································· 408 ASPF configuration commands ··································································································································· 409 aspf-policy ···························································································································································· 409 display aspf all ···················································································································································· 409 ...
Page 12 firewall http url-filter host acl ······························································································································ 450 firewall http url-filter host default ························································································································ 451 firewall http url-filter host enable ························································································································ 451 firewall http url-filter host ip-address ·················································································································· 452 firewall http url-filter host url-address ················································································································· 453 firewall http url-filter parameter ··························································································································...
Page 13 ················································································································································ 517 fips mode enable ················································································································································· 517 fips self-test ··························································································································································· 518 Support and other resources ·································································································································· 520 Contacting HP ······························································································································································ 520 Subscription service ············································································································································ 520 Related information ······················································································································································ 520 Documents ···························································································································································· 520 ...
Page 14: Aaa Configuration Commands
AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name...
Page 15: Accounting Command
Views ISP domain view Default command level 2: System level Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Usage guidelines System resources are limited, and user connections may compete for network resources when there are many users.
Page 16: Accounting Default
Examples # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands accounting default • hwtacacs scheme • accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default.
Page 17: Accounting Dvpn
[Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands local-user • hwtacacs scheme • radius scheme • accounting dvpn Use accounting dvpn to configure the accounting method for DVPN users. Use undo accounting dvpn to restore the default. Syntax accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } undo accounting dvpn...
Page 18: Accounting Lan-Access
radius scheme • accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. Syntax accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo accounting lan-access Default The default accounting method for the ISP domain is used for LAN users.
Page 19: Accounting Login
accounting login Use accounting login to configure the accounting method for login users through the console, AUX, or Asyn port or through Telnet. Use undo accounting login to restore the default. Syntax accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting login Default...
Page 20: Accounting Optional
accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. Syntax accounting optional undo accounting optional Default The feature is disabled. Views ISP domain view Default command level 2: System level Usage guidelines After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when...
Page 21: Accounting Ppp
Default command level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use local accounting for portal users.
Page 22: Accounting Ssl-Vpn
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 23: Authentication Default
Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 accounting ssl-vpn The specified RADIUS scheme must have been configured. Examples # Configure ISP domain test to use RADIUS accounting scheme rd for SSL VPN users.
Page 24: Authentication Dvpn
Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured. Examples # Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.
Page 25: Authentication Lan-Access
# Configure ISP domain test to use RADIUS authentication scheme rd for DVPN users and use local authentication as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication dvpn radius-scheme rd local Related commands • local-user authentication default • radius scheme •...
Page 26: Authentication Login
[Sysname-isp-test] authentication lan-access radius-scheme rd local Related commands • local-user authentication default • • radius scheme authentication login Use authentication login to configure the authentication method for login users through the console, AUX, or Asyn port, Telnet, or FTP. Use undo authentication login to restore the default. Syntax authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }...
Page 27: Authentication Portal
Related commands local-user • authentication default • • hwtacacs scheme radius scheme • authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. Syntax authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } undo authentication portal Default The default authentication method for the ISP domain is used for portal users.
Page 28: Authentication Ppp
authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default. Syntax authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users.
Page 29: Authentication Ssl-Vpn
authentication ssl-vpn Use authentication ssl-vpn to configure the authentication RADIUS method for SSL VPN users. Use undo authentication ssl-vpn to restore the default. Syntax authentication ssl-vpn radius-scheme radius-scheme-name undo authentication ssl-vpn Default The default authentication method for the ISP domain is used for SSL VPN users. Views ISP domain view Default command level...
Page 30: Authorization Command
Default The default authentication method for the ISP domain is used for user privilege level switching authentication. Views ISP domain view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 31: Authorization Default
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0. Usage guidelines The specified HWTACACS scheme must have been configured.
Page 32: Authorization Dvpn
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.
Page 33: Authorization Lan-Access
Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The specified RADIUS scheme must have been configured.
Page 34: Authorization Login
none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines This command is supported only on SAP interface modules that are operating in Layer 2 mode. The specified RADIUS scheme must have been configured.
Page 35: Authorization Portal
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 36: Authorization Ppp
Default command level 2: System level Parameters local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 37: Authorization Ssl-Vpn
Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access the network directly.
Page 38: Authorization-Attribute User-Profile
Views ISP domain view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616...
Page 39: Cut Connection
Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Usage guidelines After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.
Page 40: Display Connection
ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain.
Page 41 Default command level 1: Monitor level Parameters access-type: Specifies the user connections of the specified access type. • dot1x: Indicates 802.1X authentication. This keyword is supported only on the SAP interface modules that are operating in Layer 2 mode. mac-authentication: Indicates MAC address authentication. This keyword is supported only on the •...
Page 42 authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain. How the device displays the username of a user on an interface configured with a mandatory authentication domain depends on the format of the username entered by the user at login: If the username does not contain the at sign (@), the device displays the username in the format •...
Page 43 Slot: Index=0 , Username=telnet@system IP=10.0.0.1 IPv6=N/A Access=Admin ,AuthMethod=PAP Port Type=Virtual ,Port Name=N/A ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable SessionTimeout=60(s), Terminate-Action=Radius-Request Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s Total 1 connection matched. Slot: Total 0 connection matched. Slot: Total 0 connection matched. Table 1 Command output Field Description Slot...
Page 44: Display Domain
display domain Use display domain to display the configuration of ISP domains. Syntax display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression.
Page 45 Lan-access authorization scheme : hwtacacs:hw, local Lan-access accounting scheme : local Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Authorization attributes : User-profile : profile1 Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Description Domain...
Page 46: Domain
Field Description Authorization attributes Default authorization attributes for the ISP domain. User-profile Default authorization user profile. Related commands access-limit enable • domain • state • domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. Syntax domain isp-name undo domain isp-name...
Page 47: Domain Default Enable
domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain. Use undo domain default enable to restore the default. Syntax domain default enable isp-name undo domain default enable Default...
Page 48: Idle-Cut Enable
undo domain if-unknown Default No ISP domain is specified for users with unknown domain names. Views System view Default command level 3: Manage level Parameters isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), and at sign (@).
Page 49: Ip Pool
Views ISP domain view Default command level 2: System level Parameters minute: Idle timeout period, ranging from 1 to 600 minutes. flow: Minimum traffic during the idle timeout period in bytes. It ranges from 1 to 10240000 and defaults to 10240. Usage guidelines With the idle cut function enabled for a domain, the device checks the traffic of each online user in the domain at the idle timeout interval, and it logs out any user in the domain whose traffic during the idle...
Page 50: Nas Device-Id
low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there is only one IP address in the pool, which is the start IP address. Usage guidelines You can also configure an address pool for PPP users in system view.
Page 51: Nas-Id Bind Vlan
Usage guidelines The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 nas device-id Configuring or changing the device ID of a device logs out all online users of the device. The two devices working in stateful failover mode must use the device IDs of 1 and 2. The device ID is the symbol for stateful failover mode.
Page 52: Self-Service-Url Enable
<Sysname> system-view [Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2 Related commands aaa nas-id profile self-service-url enable Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server. Use undo self-service-url enable to restore the default. Syntax self-service-url enable url-string undo self-service-url enable...
Page 53: State (Isp Domain View)
undo session-time include-idle-time Default The user online time uploaded to the server excludes the idle cut time. Views ISP domain view Default command level 2: System level Usage guidelines The device uploads to the server the online user time when a user is logged off. However, the online user time of an abnormally logged-off user can contain an idle timeout interval or a detection interval when the idle cut function or online portal user detection is enabled.
Page 54: Local User Configuration Commands
Usage guidelines By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. Examples # Place the ISP domain test to the blocked state. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit...
Page 55: Authorization-Attribute
authorization-attribute Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to remove authorization attributes and restore the defaults. Syntax authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id |...
Page 56: Bind-Attribute
commands. For more information, see Network Management and Monitoring Command Reference. vlan vlan-id: Specifies the authorized VLAN, where vlan-id ranges from 1 to 4094. After passing authentication, a local user can access the resources in this VLAN. work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service.
Page 57: Display Local-User
Views Local user view Default command level 3: Manage level Parameters call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users. subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters.
Page 58 Parameters idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specified type of service. dvpn: DVPN tunnel users. • ftp: FTP users. This keyword is not supported in FIPS mode. •...
Page 59 Examples # On the 6602 router, display information about all local users. <Sysname> display local-user The contents of local user abc: State: Active ServiceType: Access-limit: Enabled Current AccessNum: 0 Max AccessNum: User-group: system Bind attributes: IP address: 1.2.3.4 Bind location: 0/4/1 (SLOT/SUBSLOT/PORT) MAC address: 00-01-00-02-00-03...
Page 60 Field Description Expiration date Expiration time of the local user. Password aging Aging time of the local user password. Password length Minimum length of the local user password. Password composition Password composition policy of the local user. # On the HSR6602/6604/6608/6616 router, display the information of local user bbb on the card installed on slot 0.
Page 61: Display User-Group
Field Description VLAN ID VLAN to which the local user is bound. User Profile User profile for local user authorization. Calling Number Calling number of the ISDN user. Authorization attributes Authorization attributes of the local user. Idle TimeOut Idle timeout period of the user, in minutes. Callback-number Authorized PPP callback number of the local user.
Page 62: Expiration-Date
<Sysname> display user-group abc The contents of user group abc: Authorization attributes: Idle-cut: 120(min) Work Directory: cfa0: Level: Acl Number: 2000 Vlan ID: User-Profile: Callback-number: Password aging: Enabled (1 days) Password length: Enabled (4 characters) Password composition: Enabled (1 types, 1 characters per type) Total 1 user group(s) matched.
Page 63: Group
Default command level 3: Manage level Parameters time: Expiration time local user, format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month.
Page 64: Group-Attribute Allow-Guest
[Sysname] local-user 111 [Sysname-luser-111] group abc group-attribute allow-guest Use group-attribute allow-guest to set the guest attribute for a user group so that guest users created by a guest manager through the Web interface can join the group. Use undo group-attribute allow-guest to restore the default. Syntax group-attribute allow-guest undo group-attribute allow-guest...
Page 65: Password
Default command level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@) and cannot be a, al, or all.
Page 66 Views Local user view Default command level 2: System level Parameters hash: Enables hash-based encryption. cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. If hash is not specified, a ciphertext password must be a string of 1 to 1 17 characters and a plaintext password must be a string of 1 to 63 characters.
Page 67: Service-Type
service-type Use service-type to specify the service types that a user can use. Use undo service-type to delete one or all service types configured for a user. Syntax service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web } undo service-type { dvpn | ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web } Default A user is authorized with no service.
Page 68: State (Local User View)
state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Default command level 2: System level Parameters...
Page 69: Validity-Date
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
Page 70: Radius Configuration Commands
system time is between the validity time and the expiration time. If it is, the device permits the user to access the network. Otherwise, the device denies the access request of the user. Examples # Set the validity time of user abc to 12:10:20 on April 30, 2008, and set the expiration time to 12:10:20 on May 31, 2008.
Page 71: Attribute 25 Car
Examples # Enable the accounting-on feature for RADIUS authentication scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 Related commands radius scheme attribute 25 car Use attribute 25 car to specify the device to interpret the RADIUS class attribute (attribute 25) as CAR...
Page 72: Display Radius Scheme
Default The unit for data flows is byte and that for data packets is one-packet. Views RADIUS scheme view Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
Page 73 exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602...
Page 74 Index number of the RADIUS scheme. Type of the RADIUS server supported on the router: • Extended—The RADIUS server uses the proprietary RADIUS protocol of HP for packet exchange. Type • Standard—The RADIUS server uses the standard RADIUS protocol for packet exchange.
Page 75: Display Radius Statistics
Field Description Shared key for secure accounting communication, displayed as a series of Acct Server Encryption Key asterisks (******). If no shared key is configured, this field displays N/A. MPLS L3VPN to which the scheme belongs. If no VPN instance is specified VPN instance for the scheme, this field displays N/A.
Page 76 |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 77 RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14 Auth continue Num = 0 Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0 SndMSG_Fail_sum Timer_Err Alloc_Mem_Err State Mismatch Other_Error...
Page 78 Field Description RADIUS received messages statistic Statistics for received RADIUS messages. Normal auth request Counts of normal authentication requests. Auth request Counts of normal authentication requests. Account request Counts of accounting requests. Account off request Counts of stop-accounting requests. PKT auth timeout Counts of authentication timeout messages.
Page 79 AcctStart = 0 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 StateErr = 0 Received and Sent packets statistic: Sent PKT total = 1547 Received PKT total = 23 Resend Times Resend total Total 1016 RADIUS received packets statistic:...
Page 80 Table 8 Command output Field Description slot Number of the slot in which the card resides. state statistic User statistics, by state. DEAD Number of idle users. AuthProc Number of users waiting for authentication. AuthSucc Number of users who have passed authentication. AcctStart Number of users for whom accounting has been started.
Page 81: Display Stop-Accounting-Buffer (For Radius)
Field Description Accounting on request Counts of accounting-on requests. Accounting on response Counts of accounting-on responses. Dynamic Author Ext request Counts of dynamic authorization extension requests. RADIUS sent messages statistic Statistics for sent RADIUS messages. Auth accept Number of accepted authentication packets. Auth reject Number of rejected authentication packets.
Page 82 session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters. time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. user-name user-name: Specifies the stop-accounting requests buffered for a user.
Page 83: Key (Radius Scheme View)
user-name-format • • retry retry stop-accounting • key (RADIUS scheme view) Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication. Use undo key to remove the configuration. Syntax key { accounting | authentication } [ cipher | simple ] key undo key { accounting | authentication } Default No shared key is configured.
Page 84: Nas-Backup-Ip
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key accounting ok # For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] key authentication cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B Related commands display radius scheme nas-backup-ip Use nas-backup-ip to specify a backup source IP address for outgoing RADIUS packets in a stateful...
Page 85: Nas-Ip (Radius Scheme View)
The setting configured by the nas-backup-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas the setting configured by the radius nas-backup-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Examples # For a device working in stateful failover mode, set the source IP address and backup source IP address for outgoing RADIUS packets to 2.2.2.2 and 3.3.3.3, respectively.
Page 86: Primary Accounting (Radius Scheme View)
The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration does not take effect. A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one.
Page 87: Primary Authentication (Radius Scheme View)
cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 1 17 • characters. simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string. •...
Page 88 undo primary authentication Default No primary RADIUS authentication/authorization server is specified. Views RADIUS scheme view Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication/authorization server. ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address.
Page 89: Radius Client
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.
Page 90: Radius Nas-Backup-Ip
undo radius client Default The RADIUS client service is enabled. Views System view Default command level 2: System level Usage guidelines When the RADIUS client service is disabled, the following events occur: No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS •...
Page 91: Radius Nas-Ip
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the backup source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network backup source IP address. With no VPN specified, the command specifies a public-network backup source IP address.
Page 92: Radius Scheme
Default command level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address. ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be a link-local address.
Page 93: Radius Trap
Default command level 3: Manage level Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
Page 94: Reset Radius Statistics
When the status of a RADIUS server changes. If a NAS sends a request but receives no response • before the maximum number of attempts is exceeded, it places the server to the blocked state and sends a trap message. If a NAS receives a response from a RADIUS server it considered unreachable, it considers that the RADIUS server is reachable again and also sends a trap message.
Page 95: Retry
Syntax reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] Views User view Default command level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme.
Page 96: Retry Realtime-Accounting
Syntax retry retry-times undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of RADIUS packet transmission attempts, ranging from 1 to 20. Usage guidelines Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
Page 97: Retry Stop-Accounting (Radius Scheme View)
Default command level 2: System level Parameters retry-times: Maximum number of accounting attempts, ranging from 1 to 255. Usage guidelines A RADIUS server usually checks whether a user is online by using a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user.
Page 98: Secondary Accounting (Radius Scheme View)
Views RADIUS scheme view Default command level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, ranging from 10 to 65535. Usage guidelines The maximum number of stop-accounting request transmission attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets. Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with...
Page 99 Default command level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server, which must be a valid global unicast address. port-number: Specifies the service port number of the secondary RADIUS accounting server, which is a UDP port number ranging from 1 to 65535 and defaults to 1813.
Page 100: Secondary Authentication (Radius Scheme View)
Examples # For RADIUS scheme radius1, specify two secondary accounting servers with the server IP addresses of 10.1 10.1.1 and 10.1 10.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key hello [Sysname-radius-radius1] secondary accounting 10.110.1.2 1813 key hello...
Page 101 cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 1 17 • characters. simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters. • If neither cipher nor simple is specified, you set a plaintext shared key string. •...
Page 102: Security-Policy-Server
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To make sure the device can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command.
Page 103: Server-Type
Default command level 2: System level Parameters ip-address: Specifies a security policy server by its IP address. all: Specifies all security policy servers. Usage guidelines You can specify up to eight security policy servers for a RADIUS scheme. You can change security policy servers for a RADIUS scheme only when no user is using the scheme. Examples # Specify security policy server 10.1 10.1.2 for RADIUS scheme radius1.
Page 104: State Primary
state primary Use state primary to set the status of a primary RADIUS server. Syntax state primary { accounting | authentication } { active | block } Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Default command level...
Page 105: Stop-Accounting-Buffer Enable (Radius Scheme View)
Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Default command level 2: System level Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.
Page 106: Timer Quiet (Radius Scheme View)
Default The device buffers stop-accounting requests to which no responses are received. Views RADIUS scheme view Default command level 2: System level Usage guidelines Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers.
Page 107: Timer Realtime-Accounting (Radius Scheme View)
Usage guidelines The quiet timer controls whether the device changes the status of an unreachable server from active to blocked and how long the device keeps an unreachable server in blocked state. If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible.
Page 108: Timer Response-Timeout (Radius Scheme View)
Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more). Table 9 Recommended real-time accounting intervals Number of users Real-time accounting interval (in minutes)
Page 109: User-Name-Format (Radius Scheme View)
Examples # Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer response-timeout 5 Related commands retry user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default...
Page 110: Vpn-Instance (Radius Scheme View)
vpn-instance (RADIUS scheme view) Use vpn-instance to specify a VPN instance for a RADIUS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Views RADIUS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of the MPLS VPN, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN instance specified here applies to all IPv4 servers in the RADIUS scheme for which no specific VPN instance is specified.
Page 111: Display Hwtacacs
Default command level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 112 include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number If no HWTACACS scheme is specified, the command displays the configuration of all HWTACACS schemes.
Page 113 Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 10 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays 0.0.0.0:0. Primary-authentication-server This rule also applies to the following eight fields.
Page 114: Hwtacacs Scheme
HWTACACS authen client access request send authentication number: 0 HWTACACS authen client access request send password number: 0 HWTACACS authen client access connect abort number: 0 HWTACACS authen client access connect packet number: 5 HWTACACS authen client access response error number: 0 HWTACACS authen client access response failure number: 0 HWTACACS authen client access response follow number: 0 HWTACACS authen client access response getdata number: 0...
Page 115: Display Stop-Accounting-Buffer (For Hwtacacs)
display stop-accounting-buffer (for HWTACACS) Use display stop-accounting-buffer to display information about buffered stop-accounting requests. Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined...
Page 116: Hwtacacs Nas-Ip
retry stop-accounting • hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to remove the configuration. Syntax hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] Default The source IP address of a packet sent to the server is the IP address of the outbound interface.
Page 117: Hwtacacs Scheme
hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme. Syntax hwtacacs scheme hwtacacs-scheme-name undo hwtacacs scheme hwtacacs-scheme-name Default No HWTACACS scheme exists. Views System view Default command level 3: Manage level Parameters...
Page 118: Nas-Ip (Hwtacacs Scheme View)
Parameters accounting: Sets the shared key for secure HWTACACS accounting communication. authentication: Sets the shared key for secure HWTACACS authentication communication. authorization: Sets the shared key for secure HWTACACS authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key: Specifies the shared key string.
Page 119: Primary Accounting (Hwtacacs Scheme View)
Default The source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface. Views HWTACACS scheme view Default command level...
Page 120: Primary Authentication (Hwtacacs Scheme View)
Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It is a TCP port in the range of 1 to 65535 and defaults to 49.
Page 121: Primary Authorization
Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS authentication server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authentication server. It is a TCP port in the range of 1 to 65535 and defaults to 49.
Page 122: Reset Hwtacacs Statistics
Default No primary HWTACACS authorization server is specified. Views HWTACACS scheme view Default command level 2: System level Parameters ip-address: IP address of the primary HWTACACS authorization server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS authorization server. It is a TCP port in the range of 1 to 65535 and defaults to 49.
Page 123: Reset Stop-Accounting-Buffer (For Hwtacacs)
Views User view Default command level 1: Monitor level Parameters accounting: Specifies the HWTACACS accounting statistics. all: Specifies all HWTACACS statistics. authentication: Specifies the HWTACACS authentication statistics. authorization: Specifies the HWTACACS authorization statistics. slot slot-number: Specifies the HWTACACS statistics for the card in the specified slot. Usage guidelines The following matrix shows the option and router compatibility: Option...
Page 124: Retry Stop-Accounting (Hwtacacs Scheme View)
Usage guidelines The following matrix shows the option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 Related commands stop-accounting-buffer enable • display stop-accounting-buffer •...
Page 125: Secondary Accounting (Hwtacacs Scheme View)
secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove the configuration. Syntax secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary accounting Default No secondary HWTACACS accounting server is specified. Views HWTACACS scheme view Default command level...
Page 126: Secondary Authentication (Hwtacacs Scheme View)
vpn-instance (HWTACACS scheme view) • secondary authentication (HWTACACS scheme view) Use secondary authentication to specify a secondary HWTACACS authentication server. Use undo secondary authentication to remove the configuration. Syntax secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authentication Default No secondary HWTACACS authentication server is specified.
Page 127: Secondary Authorization
Related commands display hwtacacs • vpn-instance (HWTACACS scheme view) • secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove the configuration. Syntax secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo secondary authorization Default No secondary HWTACACS authorization server is specified.
Page 128: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)
Related commands display hwtacacs • vpn-instance (HWTACACS scheme view) • stop-accounting-buffer enable (HWTACACS scheme view) Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received. Use undo stop-accounting-buffer enable to disable the buffering function. Syntax stop-accounting-buffer enable undo stop-accounting-buffer enable...
Page 129: Timer Realtime-Accounting (Hwtacacs Scheme View)
Default The primary server quiet period is 5 minutes. Views HWTACACS scheme view Default command level 2: System level Parameters minutes: Primary server quiet period. The value ranges from 1 to 255, in minutes. Usage guidelines When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires.
Page 130: Timer Response-Timeout (Hwtacacs Scheme View)
Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive). Table 11 Recommended real-time accounting intervals Number of users Real-time accounting interval (in minutes) 1 to 99...
Page 131: User-Name-Format (Hwtacacs Scheme View)
Related commands display hwtacacs user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Syntax user-name-format { keep-original | with-domain | without-domain } Default The ISP domain name is included in the username. Views HWTACACS scheme view Default command level...
Page 132 Syntax vpn-instance vpn-instance-name undo vpn-instance Views HWTACACS scheme view Default command level 2: System level Parameters vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified.
Page 133: 802.1X Commands
802.1X commands 802.1X commands are supported only on a SAP module that is operating in bridge mode. display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 134 EAD quick deploy is enabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout:...
Page 135 Table 12 Command output Field Description Equipment 802.1X protocol is enabled Whether 802.1X is enabled globally. CHAP authentication is enabled Whether CHAP authentication is enabled. Whether the device sends a trap when detecting that a user is Proxy trap checker is disabled accessing the network through a proxy.
Page 136 Field Description Authenticate Mode is Auto Authorization state of the port. Port Control Type is Port-based Access control method of the port. 802.1X Multicast-trigger is enabled Whether the 802.1X multicast-trigger function is enabled. Mandatory authentication domain Mandatory authentication domain on the port. 802.1X guest VLAN configured on the port.
Page 137: Dot1X
dot1x Use dot1x to enable 802.1X. Use undo dot1x to disable 802.1X. Syntax In system view: dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet interface view Default command level...
Page 138: Dot1X Authentication-Method
<Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] dot1x [Sysname-GigabitEthernet3/0/1] quit [Sysname] interface gigabitethernet 3/0/5 [Sysname-GigabitEthernet3/0/5] dot1x [Sysname-GigabitEthernet3/0/5] quit [Sysname] interface gigabitethernet 3/0/6 [Sysname-GigabitEthernet3/0/6] dot1x [Sysname-GigabitEthernet3/0/6] quit [Sysname] interface gigabitethernet 3/0/7 [Sysname-GigabitEthernet3/0/7] dot1x # Enable 802.1X globally. <Sysname> system-view [Sysname] dot1x Related commands display dot1x dot1x authentication-method...
Page 139: Dot1X Auth-Fail Vlan
PAP transports usernames and passwords in clear text. The authentication method applies to scenarios that do not require high security. To use PAP, the client must be an HP iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.
Page 140: Dot1X Critical Vlan
Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 LAN Switching Configuration Guide.
Page 141: Dot1X Critical Recovery-Action
Parameters vlan-id: Specifies a VLAN ID in the range of 1 to 4094. Make sure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 LAN Switching — Configuration Guide. Usage guidelines You can configure only one critical VLAN on a port.
Page 142: Dot1X Domain-Delimiter
Usage guidelines The dot1x critical recovery-action command takes effect only for the 802.1X users in the critical VLAN on a port. It enables the port to take one of the following actions to trigger 802.1X authentication after removing 802.1X users from the critical VLAN on detection of a reachable RADIUS authentication server: If MAC-based access control is used, the port sends a unicast Identity EAP/Request to each 802.1X •...
Page 143: Dot1X Guest-Vlan
Examples # Specify the characters @, /, and \ as domain name delimiters. <Sysname> system-view [Sysname] dot1x domain-delimiter @\/ dot1x guest-vlan Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users that have not performed 802.1X authentication.
Page 144: Dot1X Handshake
To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first. You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port. Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 3/0/1 <Sysname>...
Page 145: Dot1X Handshake Secure
HP recommends that you use the iNode client software to ensure the normal operation of the online user handshake function. Examples # Enable the online user handshake function. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/4 [Sysname-GigabitEthernet3/0/4] dot1x handshake dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function.
Page 146: Dot1X Max-User
undo dot1x mandatory-domain Default No mandatory authentication domain is specified. Views Ethernet interface view Default command level 2: System level Parameters domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.
Page 147 Syntax In system view: dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ] In Ethernet interface view: dot1x max-user user-number undo dot1x max-user Default The port supports a maximum of 1024 concurrent 802.1X users. Views System view, Ethernet interface view Default command level 2: System level...
Page 148: Dot1X Multicast-Trigger
Related commands display dot1x dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication. Use undo dot1x multicast-trigger to disable the function. Syntax dot1x multicast-trigger undo dot1x multicast-trigger...
Page 149: Dot1X Port-Method
undo dot1x port-control Default The default port authorization state is auto. Views System view, Ethernet interface view Default command level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication.
Page 150 Use undo dot1x port-method to restore the default. Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Ethernet interface view: dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies.
Page 151: Dot1X Quiet-Period
[Sysname] dot1x port-method portbased interface gigabitethernet 3/0/2 to gigabitethernet 3/0/5 Related commands display dot1x dot1x quiet-period Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. Use undo dot1x quiet-period to disable the timer.
Page 152: Dot1X Retry
Default command level 2: System level Usage guidelines Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. You can use the dot1x timer reauth-period command to configure the interval for re-authentication.
Page 153: Dot1X Supp-Proxy-Check
Examples # Set the maximum number of attempts for sending an authentication request to a client as 9. <Sysname> system-view [Sysname] dot1x retry 9 Related commands display dot1x dot1x supp-proxy-check Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on the specified ports or all ports.
Page 154: Dot1X Timer
Examples # Configure ports GigabitEthernet 3/0/1 to 1/8 to log off users accessing the network through a proxy. <Sysname> system-view [Sysname] dot1x supp-proxy-check logoff [Sysname] dot1x supp-proxy-check logoff interface gigabitethernet 3/0/1 to gigabitethernet 3/0/8 # Configure port GigabitEthernet 3/0/9 to send a trap when a user is detected accessing the network through a proxy.
Page 155: Dot1X Unicast-Trigger
supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120. tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120. Usage guidelines You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers.
Page 156: Reset Dot1X Statistics
Default The unicast trigger function is disabled. Views Ethernet interface view Default command level 2: System level Usage guidelines The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time (set with the dot1x timer tx-period command).
Page 157 Examples # Clear 802.1X statistics on port GigabitEthernet 3/0/1. <Sysname> reset dot1x statistics interface gigabitethernet 3/0/1 Related commands display dot1x...
Page 158: Ead Fast Deployment Commands
EAD fast deployment commands EAD fast deployment commands are supported only on a SAP module that is operating in bridge mode. dot1x free-ip Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses.
Page 159: Dot1X Url
Syntax dot1x timer ead-timeout ead-timeout-value undo dot1x timer ead-timeout Default The timer is 30 minutes. Views System view Default command level 2: System level Parameters ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440. Usage guidelines EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network.
Page 160 Default command level 2: System level Parameters url-string: Specifies the redirect URL, a case-sensitive string of 1 to 64 characters in the format http://string. Usage guidelines The redirect URL must be on the free IP subnet. If you configure the dot1x url command multiple times, the last configured URL takes effect. Examples # Configure the redirect URL as http://192.168.0.1.
Page 161: Mac Authentication Configuration Commands
MAC authentication configuration commands MAC authentication commands are available only for SAP modules that are operating in bridge mode. display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics. Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views...
Page 162 Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet3/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 1024...
Page 163: Mac-Authentication
Field Description Status of the link on port GigabitEthernet 3/0/1. In this example, the link GigabitEthernet3/0/1 is link-up is up. MAC address authentication is Whether MAC authentication is enabled on port GigabitEthernet enabled 3/0/1. MAC authentication statistics, including the number of successful and Authenticate success: 0, failed: 0 unsuccessful authentication attempts.
Page 164: Mac-Authentication Domain
Default command level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0> indicates that you can specify up to 10 port ranges.
Page 165: Mac-Authentication Max-User
Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). Usage guidelines The global authentication domain is applicable to all MAC authentication enabled ports.
Page 166: Mac-Authentication Timer
[Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] mac-authentication max-user 32 mac-authentication timer Use mac-authentication timer to set the MAC authentication timers. Use undo mac-authentication timer to restore the default settings. Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } Default The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100...
Page 167 Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } undo mac-authentication user-name-format Default Each user's MAC address is used as the username and password for MAC authentication, and letters...
Page 168: Reset Mac-Authentication Statistics
Examples # Configure a shared account for MAC authentication users, and set the username as abc and password as a plaintext string of xyz. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password simple xyz # Configure a shared account for MAC authentication users, and set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg.
Page 169: Portal Configuration Commands
Portal configuration commands Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. access-user detect Use access-user detect to configure the online portal user detection function. Use undo access-user detect to restore the default. Syntax access-user detect type arp retransmit number interval interval undo access-user detect...
Page 170: Display Portal Acl
Examples # Configure the portal user detection function on interface GigabitEthernet 0/1, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds. <Sysname> system-view [Sysname] interface gigabitethernet0/1 [Sysname-GigabitEthernet0/1] access-user detect type arp retransmit 3 interval 10 display portal acl Use display portal acl to display the ACLs on a specific interface.
Page 171 Port : 50000 ~ 51000 : 0000-0000-0000 Interface : any VLAN Destination: : 111.111.111.111 Mask : 255.255.255.255 Port : 40000 Rule 1 Inbound interface : GigabitEthernet3/0/1 Type : static Action : permit Protocol Source: : 0.0.0.0 Mask : 0.0.0.0 Port : 23 : 0000-0000-0000 Interface : any...
Page 172: Display Portal Connection Statistics
Mask : 255.255.255.255 : 000d-88f8-0eab Interface : GigabitEthernet3/0/1 VLAN Protocol Destination: : 0.0.0.0 Mask : 0.0.0.0 Author ACL: Number : 3001 Table 14 Command output Field Description Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order. Inbound interface Interface to which the portal ACL is bound.
Page 173 Syntax display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression.
Page 174 MSG_LOGIN_REQ MSG_LOGOUT_REQ MSG_LEAVING_REQ MSG_ARPPKT MSG_PORT_REMOVE MSG_VLAN_REMOVE MSG_IF_REMOVE MSG_IF_SHUT MSG_IF_DISPORTAL MSG_IF_UP MSG_ACL_RESULT MSG_AAACUTBKREQ MSG_CUT_BY_USERINDEX MSG_CUT_L3IF MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 15 Command output Field Description User state statistics Statistics on portal users. State-Name Name of a user state. User-Num Number of users in a specific state.
Page 175: Display Portal Free-Rule
Field Description MSG_ARPPKT ARP message. MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message. MSG_VLAN_REMOVE VLAN user removed message. Users-removed message, indicating the users on a Layer 3 interface were MSG_IF_REMOVE removed because the Layer 3 interface was removed. MSG_IF_SHUT Layer 3 interface shutdown message. MSG_IF_DISPORTAL Portal-disabled-on-interface message.
Page 176 include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about portal-free rule 1. <Sysname> display portal free-rule 1 Rule-Number Source: : 2.2.2.0 Mask : 255.255.255.0 Port...
Page 177: Display Portal Interface
Field Description Destination Destination information in the portal-free rule. Destination IP address in the portal-free rule. Mask Subnet mask of the destination IP address in the portal-free rule. Port Destination transport layer port number in the portal-free rule. Protocol Transport layer protocol number in the portal-free rule. Related commands portal free-rule display portal interface...
Page 178: Display Portal Server
Table 17 Command output Field Description Portal configuration of interface Portal configuration on the interface. IPv4 IPv4 portal configuration. Status of the portal authentication on the interface: • Portal disabled—Portal authentication is disabled. Status • Portal enabled—Portal authentication is enabled but is not functioning. •...
Page 179: Display Portal Server Statistics
• Server Type CMCC—CMCC portal server. • IMC—HP IMC portal server. Current status of the portal server. Possible values include: • N/A—The server is not referenced on any interface, or the server detection function is not enabled. The reachability of the portal server is unknown.
Page 180 Views Any view Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 181 NTF_AUTH ACK_NTF_AUTH REQ_QUERY_STATE ACK_QUERY_STATE RESERVED33 RESERVED35 Table 19 Command output Field Description Interface Interface referencing the portal server. Invalid packets Number of invalid packets. Pkt-Name Packet type. Total Total number of packets. Discard Number of discarded packets. Checkerr Number of erroneous packets. REQ_CHALLENGE Challenge request message the portal server sent to the access device.
Page 182: Display Portal Tcp-Cheat Statistics
Field Description NTF_CHALLENGE Challenge request the access device sent to the portal server. User information notification message the access device sent to the portal NTF_USER_NOTIFY server. NTF_USER_NOTIFY acknowledgment message the access device sent to AFF_NTF_USER_NOTIFY the portal server. Forced authentication notification message the portal server sent to the NTF_AUTH access device.
Page 183: Display Portal User
Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 20 Command output Field Description TCP Cheat Statistic TCP spoofing statistics. Total Opens Total number of opened connections.
Page 184 Default command level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 185: Portal Auth-Network
Field Description User's working mode: • Primary. Work-mode • Secondary. • Stand-alone. VPN instance MPLS L3VPN to which the portal server belongs. MAC address of the portal user. IP address of the portal user. Vlan VLAN to which the portal user belongs. Interface Interface to which the portal user is attached.
Page 186: Portal Auth-Network Destination
authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users. You can configure multiple authentication source subnets by executing the portal auth-network command. The system supports up to 16 authentication source subnets and destination subnets. Examples # Configure a portal authentication source subnet of 10.10.10.0/24 on GigabitEthernet 3/0/1 to allow users from subnet 10.10.10.0/24 to trigger portal authentication.
Page 187: Portal Backup-Group
If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect. Examples # Configure a portal authentication destination subnet of 2.2.2.0/24 on GigabitEthernet 3/0/1, so that only users accessing subnet 2.2.2.0/24 trigger portal authentication on the interface. Users can access other subnets through the interface without portal authentication.
Page 188: Portal Delete-User
Command 6602 HSR6602 6604/6608/6616 portal backup-group Examples # In the stateful failover networking environment, add the portal service backup interface GigabitEthernet 0/0/1 to portal group 1 on the source backup device. <Sysname> system-view [Sysname] interface gigabitethernet 0/0/1 [Sysname-GigabitEthernet0/0/1] portal backup-group 1 On the peer device (destination backup device), you must also add the corresponding service backup interface in to portal group 1.
Page 189: Portal Free-Rule
undo portal domain Default No authentication domain is specified for portal users on an interface. Views Interface view Default command level 2: System level Parameters domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist. Examples # Configure the authentication domain for IPv4 portal users on GigabitEthernet 3/0/1 as my-domain.
Page 190: Portal Max-User
mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32. tcp tcp-port-number [ to tcp-port-number ]: Specifies a range of TCP port numbers.
Page 191: Portal Nas-Id
Views System view Default command level 2: System level Parameters max-number: Maximum number of online portal users allowed in the system. The following matrix shows the value range for the max-number argument on different 6600/HSR6600 routers: Argument 6602 HSR6602 6604/6608/6616 •...
Page 192: Portal Nas-Id-Profile
Views Interface view, system view Default command level 2: System level Parameters nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters. This value is used as the value of the NAS-Identifier attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface.
Page 193: Portal Nas-Ip
If a NAS ID is configured using the portal nas-id command, the device uses the configured NAS ID • as that of the interface. If the interface has no NAS ID configured, the device uses the device name as the interface NAS ID. •...
Page 194: Portal Nas-Port-Type
undo portal nas-port-id Default No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request. Views Interface view Default command level 2: System level Parameters nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters.
Page 195: Portal Redirect-Url
wireless: Specifies the access port type as IEEE 802.1 1 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless. Examples # Specify the NAS-Port-Type value of GigabitEthernet 3/0/1 as IEEE 802.1 1 standard wireless interface.
Page 196 Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters. ip ip-address: Specifies the IP address of the portal server. In portal stateful failover environments, HP recommends specifying the virtual IP address of the VRRP group to which the downlink belongs as the portal server IP address.
Page 197: Portal Server Method
For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text to the configuration file. Examples # Configure portal server pts, setting the IP address to 192.168.0.1 1 1, the key to portal in plain text, and the redirection URL to http://192.168.0.1 13/portal.
Page 198: Portal Server Server-Detect
Related commands display portal server portal server server-detect Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes.
Page 199 log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a • portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server. •...
Page 200: Portal Server User-Sync
portal server user-sync Use portal server user-sync to configure portal user information synchronization with a specific portal server. When this function is configured, the device periodically checks and responds to the user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.
Page 201: Reset Portal Connection Statistics
Examples # Configure the device to synchronize portal user information with portal server pts: Setting the synchronization probe interval to 600 seconds • • Specifying the device to log off users if information of the users does not exist in the user synchronization packets sent from the server in two consecutive probe intervals.
Page 202: Reset Portal Tcp-Cheat Statistics
reset portal tcp-cheat statistics Use reset portal tcp-cheat statistics to clear TCP spoofing statistics. Syntax reset portal tcp-cheat statistics Views User view Default command level 1: Monitor level Examples # Clear TCP spoofing statistics. <Sysname> reset portal tcp-cheat statistics...
Page 203: Port Security Configuration Commands
Port security configuration commands The port security commands are available only for SAP modules that are operating in bridge mode. display port-security Use display port-security to display port security configuration information, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Views...
Page 204 RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet3/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50 Stored MAC address number is 0...
Page 205 Field Description Disableport Timeout Silence timeout period of the port that receives illegal packets, in seconds. OUI value List of OUI values allowed. Port security mode: • noRestrictions. • autoLearn. • macAddressWithRadius. • macAddressElseUserLoginSecure. • macAddressElseUserLoginSecureExt. • Port mode secure. •...
Page 206: Display Port-Security Mac-Address Block
Related commands port-security enable • port-security port-mode • • port-security ntk-mode port-security intrusion-mode • port-security max-mac-count • port-security mac-address security • port-security authorization ignore • • port-security oui port-security trap • display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses. Syntax display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]...
Page 207 000f-3d80-0d2d GigabitEthernet3/0/1 --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses. <Sysname> display port-security mac-address block count --- On slot 2, no mac address found --- --- On slot 3, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30.
Page 208: Display Port-Security Mac-Address Security
Field Description VLAN ID ID of the VLAN to which the port belongs. On slot n, x mac address(es) found Number of blocked MAC addresses on slot n. x mac address(es) found Total number of blocked MAC addresses. Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses.
Page 209: Port-Security Authorization Ignore
2 mac address(es) found # Display only the count of the secure MAC addresses. <Sysname> display port-security mac-address security count This operation may take a few minutes, please wait..2 mac address(es) found # Display information about secure MAC addresses in VLAN 1. <Sysname>...
Page 210: Port-Security Enable
Use undo port-security authorization ignore to restore the default. Syntax port-security authorization ignore undo port-security authorization ignore Default A port uses the authorization information from the server. Views Ethernet interface view Default command level 2: System level Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account.
Page 211: Port-Security Intrusion-Mode
Port security mode is noRestrictions. • You cannot disable port security when online users are present. Examples # Enable port security. <Sysname> system-view [Sysname] port-security enable Related commands display port-security • • dot1x dot1x port-method • dot1x port-control • mac-authentication •...
Page 212: Port-Security Mac-Address Aging-Type Inactivity
Examples # Configure port GigabitEthernet 3/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security intrusion-mode blockmac Related commands display port-security • display port-security mac-address block • port-security timer disableport •...
Page 213: Port-Security Mac-Address Dynamic
port-security mac-address dynamic Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file. Use undo port-security mac-address dynamic to disable the dynamic secure MAC function. Then, all dynamic secure MAC addresses are converted to sticky MAC addresses, and you can manually configure sticky MAC address.
Page 214 undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured.
Page 215: Port-Security Max-Mac-Count
Examples # Enable port security, set port GigabitEthernet 3/0/1 in autoLearn mode, and add a static secure MAC address 0001-0001-0002 in VLAN 10. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security max-mac-count 100 [Sysname-GigabitEthernet3/0/1] port-security port-mode autolearn [Sysname-GigabitEthernet3/0/1] quit [Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 3/0/1 vlan 10...
Page 216: Port-Security Ntk-Mode
Usage guidelines In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port. The maximum number set by this command cannot be smaller than the current number of MAC addresses saved on the port. In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port.
Page 217: Port-Security Oui
Usage guidelines The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # Set the NTK mode of port GigabitEthernet 3/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.
Page 218: Port-Security Port-Mode
Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default. Syntax port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } undo port-security port-mode Default...
Page 219 Keyword Security mode Description Similar to the macAddressElseUserLoginSecure mode macAddressElseUserL mac-else-userlogin-secu except that a port in this mode supports multiple 802.1X re-ext oginSecureExt and MAC authentication users. In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands.
Page 220: Port-Security Timer Autolearn Aging
Examples # Enable port security and set port GigabitEthernet 3/0/1 in secure mode. <Sysname> system-view [Sysname] port-security enable [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 3/0/1 to userLogin. [Sysname-GigabitEthernet3/0/1] undo port-security port-mode [Sysname-GigabitEthernet3/0/1] port-security port-mode userlogin Related commands display port-security...
Page 221: Port-Security Trap
Syntax port-security timer disableport time-value undo port-security timer disableport Default The silence period is 20 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300.
Page 222 Parameters addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address. dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails. dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.
Page 223: User Profile Configuration Commands
User profile configuration commands display user-profile Use display user-profile to display information about all user profiles that have been created. Syntax display user-profile [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 2: System level Parameters |: Filters command output by specifying a regular expression.
Page 224: User-Profile
Syntax user-profile profile-name enable undo user-profile profile-name enable Default A created user profile is disabled. Views System view Default command level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter.
Page 225 Parameters profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. A user profile name must be globally unique. Examples # Create user profile a123.
Page 226: Password Control Configuration Commands
Password control configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration information.
Page 227: Display Password-Control Blacklist
Password complexity: Disabled (username checking) Disabled (repeated characters checking) # Display the password control configuration for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 26 Command output Field...
Page 228: Password
Views Any view Default command level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression.
Page 229: Password-Control { Aging | Composition | History | Length } Enable
Syntax password undo password Views Local user view Default command level 2: System level Usage guidelines Valid characters for a local user password are from the following four types: Uppercase letters A to Z • Lowercase letters a to z •...
Page 230: Password-Control Aging
Views System view Default command level 2: System level Parameters aging: Enables the password aging function. composition: Enables the password composition restriction function. history: Enables the password history function. length: Enables the minimum password length restriction function. Usage guidelines For these four functions to take effect, the password control feature must be enabled globally. You must enable a function for its relevant configurations to take effect.
Page 231: Password-Control Alert-Before-Expire
Default A password expires after 90 days globally. The password aging time of a user group equals the global setting. The password aging time of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level...
Page 232: Password-Control Authentication-Timeout
undo password-control alert-before-expire Default A user is notified of pending password expiration 7 days before the user's password expires. Views System view Default command level 2: System level Parameters alert-time: Specifies the number of days before a user's password expires during which the user is notified of the pending password expiration.
Page 233: Password-Control Complexity
password-control complexity Use password-control complexity to configure the password complexity checking policy. Complexity-incompliant passwords will be refused. Use undo password-control complexity check to remove a password complexity checking item. Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check Default No user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively.
Page 234 In FIPS mode, the global password composition policy is as follows: A password must contain four types of characters from uppercase letters, lowercase letters, digits and special characters, and each type contains at least one character. In both FIPS and non-FIPS mode, the password composition policy of a user group is the same as the global policy, and the password composition policy of a local user is the same as that of the user group to which the local user belongs.
Page 235: Password-Control Enable
password-control enable Use password-control enable to enable the password control feature globally. Use undo password-control enable to disable the password control feature globally. Syntax password-control enable undo password-control enable Default The password control feature is disabled globally. Views System view Default command level 2: System level Usage guidelines...
Page 236: Password-Control History
Parameters delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10.
Page 237 Default The global minimum password length is 10 characters. The minimum password length of a user group equals the global setting. The minimum password length of a local user equals that of the user group to which the local user belongs. Views System view, user group view, local user view Default command level...
Page 238: Password-Control Login Idle-Time
password-control login idle-time Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device. Use undo password-control login idle-time to restore the default. Syntax password-control login idle-time idle-time undo password-control login idle-time...
Page 239 Parameters login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10. exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again.
Page 240: Password-Control Password Update Interval
display password-control blacklist • • reset password-control blacklist password-control password update interval Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords. Use undo password-control password update interval to restore the default. Syntax password-control password update interval interval undo password-control password update interval...
Page 241: Password-Control Super Composition
Views System view Default command level 2: System level Parameters aging-time: Specifies the super password aging time in days, in the range of 1 to 365. Usage guidelines If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords.
Page 242: Password-Control Super Length
Usage guidelines If you do not specify a composition policy for super passwords, the system applies the global password composition policy to super passwords. If you have specified a composition policy for super passwords, the system applies the composition policy to super passwords. Examples # Specify that all super passwords must each contain at least three types of characters and each type contains at least five characters.
Page 243: Reset Password-Control Blacklist
reset password-control blacklist Use reset password-control blacklist to remove all or one user from the password control blacklist. Syntax reset password-control blacklist { all | user-name name } Views User view Default command level 3: Manage level Parameters all: Clears all users from the password control blacklist. user-name name: Specifies the user to be removed from the password control blacklist.
Page 244 With the super keyword specified but the level argument not specified, this command deletes the history records of all super passwords. Examples # Clear the history password records of all local users (enter Y to confirm). <Sysname> reset password-control history-record Are you sure to delete all local user's history records? [Y/N]:...
Page 245: Rsh Configuration Commands
RSH configuration commands Use rsh to execute an OS command on a remote host. Syntax rsh host [ user username ] command remote-command Views User view Default command level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, a string of 1 to 20 characters.
Page 246 2001-12-07 17:28 122,880 wrshdctl.exe 2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 4,803 wrshdnt_header.htm 2003-06-23 18:18 178 wrshdnt_filelist.xml 2003-06-22 11:13 156,472 wrshdnt.pdf 2001-09-02 15:41 49,152 wrshdrdr.exe 2003-06-21 10:32 69,632 wrshdrun.exe 2004-01-02 15:54 196,608 wrshdsp.exe...
Page 247: Public Key Configuration Commands
Public key configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs.
Page 248: Display Public-Key Peer
Time of Key pair created: 19:59:17 2007/10/25 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2007/10/25 Key name: HOST_KEY...
Page 249 Syntax display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Displays information about a peer public key.
Page 250: Peer-Public-Key End
Field Description Key Code Public key data. # Display brief information about all locally saved peer public keys. <Sysname> display public-key peer brief Type Module Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 30 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits.
Page 251: Public-Key-Code Begin
Default command level 2: System level Usage guidelines If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant. Examples # Enter public key code view and input the key.
Page 252: Public-Key Local Create
Usage guidelines The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key. Examples # Exit public key code view and save the configured public key.
Page 253: Public-Key Local Destroy
In FIPS mode, the DSA key modulus length is at least 1024 bits, and the RSA key modulus length must be 2048 bits. Examples # Create local RSA key pairs. <Sysname> system-view [Sysname] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 254: Public-Key Local Export Dsa
Parameters dsa: DSA key pair. rsa: RSA key pair. Examples # Destroy the local RSA key pairs. <Sysname> system-view [Sysname] public-key local destroy rsa Warning: Confirm to destroy these keys? [Y/N]:y # Destroy the local DSA key pair. <Sysname> system-view [Sysname] public-key local destroy dsa Warning: Confirm to destroy these keys? [Y/N] :y Related commands...
Page 255: Public-Key Local Export Rsa
[Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "dsa-key-20070625" AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOL o2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 ---- END SSH2 PUBLIC KEY ---- # Display the local DSA host public key in OpenSSH format. <Sysname> system-view [Sysname] public-key local export dsa openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3...
Page 256: Public-Key Peer
Usage guidelines SSH1, SSH2.0 and OpenSSH are different public key formats for different requirements. Examples # Export the host public key of the local RSA key pairs in OpenSSH format to the file named key.pub. <Sysname> system-view [Sysname] public-key local export rsa openssh key.pub # Display the host public key of the local RSA key pairs in SSH2.0 format.
Page 257: Public-Key Peer Import Sshkey
Usage guidelines To manually configure the peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device: Execute the public-key peer command, and then the public-key-code begin command to enter public key code view.
Page 258 Examples # Import the peer host public key named key2 from the public key file key.pub. <Sysname> system-view [Sysname] public-key peer key2 import sshkey key.pub Related commands display public-key peer...
Page 259: Pki Configuration Commands
PKI configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name.
Page 260: Ca Identifier
Usage guidelines The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute. Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. <Sysname>...
Page 261: Certificate Request From
Use undo certificate request entity to remove the configuration. Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
Page 262: Certificate Request Mode
<Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default...
Page 263: Certificate Request Polling
Related commands pki request-certificate certificate request polling Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times.
Page 264: Common-Name
Default No URL is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution.
Page 265: Country
country Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use undo country to remove the configuration. Syntax country country-code-str undo country Default No country code is specified. Views PKI entity view Default command level...
Page 266: Crl Update-Period
Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.
Page 267: Display Pki Certificate
Default No CRL distribution point URL is specified. Views PKI domain view Default command level 2: System level Parameters url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.
Page 268 regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the local certificate. <Sysname> display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.net C=CN ST=Country A...
Page 269: Display Pki Certificate Access-Control-Policy
Field Description Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate. X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.
Page 270: Display Pki Certificate Attribute-Group
Table 32 Command output Field Description access-control-policy Name of the certificate attribute-based access control policy. rule number Number of the access control rule. display pki certificate attribute-group Use display pki certificate attribute-group to display information about one or all certificate attribute groups.
Page 271: Display Pki Crl Domain
Field Description Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs. Syntax display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 272: Fqdn
Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:… Table 34 Command output Field Description Version Version of the CRL. Signature Algorithm Signature algorithm used by the CRLs.
Page 273: Ip (Pki Entity View)
Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address.
Page 274: Locality
Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: Specifies the IP address of the LDAP server, in dotted decimal format. port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389.
Page 275: Organization
organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters...
Page 276: Pki Certificate Access-Control-Policy
Examples # Configure the name of the organization unit to which an entity belongs as group1. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization-unit group1 pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate attribute-based access control policy and enter its view.
Page 277: Pki Delete-Certificate
Views System view Default command level 2: System level Parameters group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.
Page 278: Pki Entity
Default No PKI domain exists. Views System view Default command level 2: System level Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters. Usage guidelines You can create up to 32 PKI domains on a device. Examples # Create a PKI domain and enter its view.
Page 279: Pki Import-Certificate
pki import-certificate Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally. Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level...
Page 280: Pki Retrieval-Certificate
Views System view Default command level 2: System level Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
Page 281: Pki Retrieval-Crl Domain
local: Obtains the local certificate. domain-name: Name of the PKI domain used for certificate request. Examples # Obtain the CA certificate from the certificate issuing server. <Sysname> system-view [Sysname] pki retrieval-certificate ca domain 1 Related commands pki domain pki retrieval-crl domain Use pki retrieval-crl domain to obtain the latest CRLs from the server for CRL distribution.
Page 282: Root-Certificate Fingerprint
Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked.
Page 283: Rule (Pki Cert Acp View)
# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate. [Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all }...
Page 284 Syntax state state-name undo state Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Page 285: Ipsec Configuration Commands
IPsec configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Page 286: Connection-Name
connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level...
Page 287: Display Ipsec Policy
Parameters Specifies an interface card by its slot number. The following matrix shows the slot slot-number option and router compatibility: Option 6602 HSR6602 6604/6608/6616 slot slot-number Examples # Enable the encryption engine. <Sysname> system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies.
Page 288 <Sysname> display ipsec policy brief IPsec Policy Name Mode IKE Peer Name Mapped Template ------------------------------------------------------------------------ bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa man-1 manual 3400 map-1 isakmp 3000 peer nat-1 isakmp 3500 test-1 isakmp 3200 test toccccc-1 isakmp 3003 tocccc IPsec Policy Name Mode Local Address Remote Address ------------------------------------------------------------------------...
Page 289 synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True tfc enable: False =========================================== IPsec Policy Group: "policy_man" Interface: GigabitEthernet3/0/2 =========================================== ----------------------------------------- IPsec policy name: "policy_man" sequence number: 10 acl version: ACL4 mode: manual...
Page 290 IPsec policy name: "policy001" sequence number: 10 acl version: None mode: manual ----------------------------- encapsulation mode: tunnel security data flow : tunnel local address: tunnel remote address: transform-set name: prop1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: ****** inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key:...
Page 291: Display Ipsec Policy-Template
Field Description Name of the protocol to which the IPsec policy is applied. (This Protocol field is not displayed when the IPsec policy is not applied to any routing protocol.) sequence number Sequence number of the IPsec policy. Negotiation mode of the IPsec policy: •...
Page 292 Parameters brief: Displays brief information about all IPsec policy templates. name: Displays detailed information about a specified IPsec policy template or IPsec policy template group. template-name: Name of the IPsec policy template, a string of 1 to 41 characters. seq-number: Sequence number of the IPsec policy template, in the range 1 to 10000. |: Filters command output by specifying a regular expression.
Page 293: Display Ipsec Profile
ACL’s Version: acl4 ike-peer name: PFS: N transform-set name: testprop IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes Table 38 Command output Field Description IPsec packet encapsulation mode: • tunnel—Tunnel mode. encapsulation mode • transport—Transport mode.
Page 294 exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays the configuration information of all IPsec profiles.
Page 295: Display Ipsec Sa
Table 39 Command output Field Description Interface Interface that references the IPsec profile. Encapsulation mode for the IPsec profile: • encapsulation mode dvpn—DVPN tunnel mode. • tunnel—IPsec tunnel mode. ACL referenced by the IPsec profile. security data flow As an IPsec profile does not reference any ACL, no information is displayed for this field.
Page 296 |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 297 PFS: N, DH group: none tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs] spi: 0xd47b1ac1(3564837569) transform: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Enabled...
Page 298 in use setting: Transport connection id: 3 No duration limit for this sa [outbound AH SAs] spi: 0x12d683 (1234563) transform: AH-MD5HMAC96 in use setting: Transport connection id: 4 No duration limit for this sa =============================== Interface: GigabitEthernet1/0/1 path MTU: 1500 =============================== ----------------------------- IPsec policy name: "r2"...
Page 299 spi: 0x2FC8FD45(801701189) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 7 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 anti-replay detection: Disabled udp encapsulation used for nat traversal: N/A status: active spi: 0xBC1D46C4(3156035268) transfrom: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 8 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686...
Page 300: Display Ipsec Statistics
Field Description Security parameter index. transform Security protocol and algorithms used by the IPsec transform set. in use setting IPsec SA attribute setting: transport or tunnel. connection id IPsec tunnel identifier. sa duration Lifetime of the IPsec SA. sa remaining duration Remaining lifetime of the SA.
Page 301 Examples # Display statistics for all IPsec packets. <Sysname> display ipsec statistics the security packet statistics: input/output security packets: 47/62 input/output security bytes: 3948/5208 input/output dropped security packets: 0/45 dropped security packet detail: not enough memory: 0 can't find SA: 45 queue is full: 0 authentication has failed: 0 wrong length: 0...
Page 302: Display Ipsec Transform-Set
Field Description can't find SA Number of packets dropped due to finding no security association. queue is full Number of packets dropped due to full queues. authentication has failed Number of packets dropped due to authentication failure. wrong length Number of packets dropped due to wrong packet length. replay packet Number of packets replayed.
Page 303: Display Ipsec Tunnel
ESN : disable ESN scheme: NO transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des IPsec transform-set name: tran2 encapsulation mode: transport transform: esp-new ESP protocol: Integrity: md5-hmac-96 Encryption: des Table 43 Command output Field Description IPsec transform-set name Name of the IPsec transform set. encapsulation mode Encapsulation mode used by the IPsec transform set, transport or tunnel.
Page 304 Examples # Display information about IPsec tunnels. <Sysname> display ipsec tunnel total tunnel : 2 ------------------------------------------------ connection id: 3 perfect forward secrecy: SA's SPI: inbound: 187199087 (0xb286e6f) [ESP] outbound: 3562274487 (0xd453feb7) [ESP] tunnel: local address: 44.44.44.44 remote address : 44.44.44.55 flow: sour addr : 44.44.44.0/255.255.255.0 port: 0...
Page 305: Encapsulation-Mode
Field Description tunnel Local and remote addresses of the tunnel. Data flow protected by the IPsec tunnel, including source IP address, flow destination IP address, source port, destination port and protocol. as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001. encapsulation-mode Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Page 306: Esp Encryption-Algorithm
Syntax esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm Default In FIPS mode, ESP uses the SHA- 1 authentication algorithm. In non-FIPS mode, ESP uses no authentication algorithm. Views IPsec transform set view Default command level 2: System level Parameters md5: Uses the MD5 algorithm, which uses a 128-bit key.
Page 307: Ike-Peer (Ipsec Policy View/Ipsec Policy Template View/Ipsec Profile View)
In non-FIPS mode, ESP uses no encryption algorithm. Views IPsec transform set view Default command level 2: System level Parameters 3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key. This keyword is not supported in FIPS mode. aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128- bit key.
Page 308: Ipsec Anti-Replay Check
Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Examples # Configure a reference to an IKE peer in an IPsec policy. <Sysname>...
Page 309: Ipsec Decrypt Check
Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The size of the anti-replay window is 32. Views System view Default command level 2: System level Parameters width: Size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024. Usage guidelines Your configuration affects only IPsec SAs negotiated later.
Page 310: Ipsec Fragmentation Before-Encryption
ipsec fragmentation before-encryption Use ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation before encryption. Use undo ipsec fragmentation before-encryption enable to enable IPsec packet fragmentation after encryption. Syntax ipsec fragmentation before-encryption enable undo ipsec fragmentation before-encryption enable Default IPsec packet fragmentation before encryption is enabled. Views System view Default command level...
Page 311: Ipsec Policy (Interface View)
Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs. Views System view Default command level 2: System level Usage guidelines Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI.
Page 312: Ipsec Policy (System View)
Examples # Apply IPsec policy group pg1 to interface Serial 2/1/2. <Sysname> system-view [Sysname] interface serial 2/1/2 [Sysname-Serial2/1/2] ipsec policy pg1 Related commands ipsec policy (system view) ipsec policy (system view) Use ipsec policy to create an IPsec policy and enter its view. Use undo ipsec policy to delete the specified IPsec policies.
Page 313: Ipsec Policy Isakmp Template
Examples # Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation. <Sysname> system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] # Create an IPsec policy with the name policy1 and specify the manual mode for it. <Sysname>...
Page 314: Ipsec Policy-Template
ipsec policy-template • Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1. <Sysname> system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 ipsec policy-template Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view. Use undo ipsec policy-template to delete the specified IPsec policy templates.
Page 315: Ipsec Profile (Tunnel Interface View)
Use undo ipsec profile to delete an IPsec profile. Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists. Views System view Default command level 2: System level Parameters profile-name: Name for the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces.
Page 316: Ipsec Sa Global-Duration
Parameters profile-name: Name of the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines Only one IPsec profile can be applied to a tunnel interface. To apply another IPsec profile to the tunnel interface, remove the original application first. An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface simultaneously.
Page 317: Ipsec Transform-Set
Usage guidelines When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime. When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.
Page 318: Pfs
Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy or IPsec profile to initiate a negotiation. Use undo pfs to remove the configuration. Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs Default The PFS feature is not used for negotiation.
Page 319: Policy Enable
policy enable Use policy enable to enable the IPsec policy. Use undo policy enable to disable the IPsec policy. Syntax policy enable undo policy enable Default The IPsec policy is enabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies.
Page 320: Reset Ipsec Sa
Usage guidelines With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec. Examples # Enable packet information pre-extraction. <Sysname>...
Page 321: Reset Ipsec Statistics
IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared. If you do not specify any parameter, the command clears all IPsec SAs. Examples # Clear all IPsec SAs.
Page 322 Syntax reverse-route [ remote-peer ip-address [ gateway | static ] | static ] undo reverse-route Default IPsec RRI is disabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references.
Page 323 Table 45 Possible IPsec RRI configurations and the generated routing information IPsec RRI Command Route destination Next hop address mode • Manual IPsec policy: Peer tunnel address set with the tunnel remote Destination IP address command. specified in a permit rule of reverse-route static Static •...
Page 324 [Sysname-ipsec-policy-isakmp-1-1] security acl 3000 [Sysname-ipsec-policy-isakmp-1-1] transform-set tran1 [Sysname-ipsec-policy-isakmp-1-1] ike-peer 1 [Sysname-ipsec-policy-isakmp-1-1] reverse-route static [Sysname-ipsec-policy-isakmp-1-1] quit [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] ipsec policy 1 [Sysname-GigabitEthernet3/0/1]quit # Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.) [Sysname] display ip routing-table Destination/Mask...
Page 325: Reverse-Route Preference
# Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private network 3.0.0.0/24 via the remote tunnel endpoint 1.1.1.2, and the other to the remote tunnel endpoint via 1.1.1.3. [Sysname]ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 gateway # Display the routing table.
Page 326: Reverse-Route Tag
Related commands reverse-route reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag...
Page 327 undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH.
Page 328: Sa Duration
sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.
Page 329: Sa Encryption-Hex
[Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration time-based 7200 # Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes). <Sysname> system-view [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 sa encryption-hex Use sa encryption-hex to configure an encryption key for an SA. Use undo sa encryption-hex to remove the configuration.
Page 330: Sa Spi
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel.
Page 331: Sa String-Key
Within a certain network scope, each router must use the same SPI and keys for its inbound and • outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process.
Page 332: Security Acl
Usage guidelines This command applies to only manual IPsec policies. This command is not available in FIPS mode. When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs. The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.
Page 333 Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters ipv6: Specifies an IPV6 ACL. acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999. aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used.
Page 334: Transform
transform Use transform to specify a security protocol for an IPsec transform set. Use undo transform to restore the default. Syntax transform { ah | ah-esp | esp } undo transform Default The ESP protocol is used. Views IPsec transform set view Default command level 2: System level Parameters...
Page 335: Tunnel Local
Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters transform-set-name&<1-6>: Name of the IPsec transform set, a string of 1 to 32 characters. &<1-6> means that you can specify up to six transform sets, which are separated by space. Usage guidelines The specified IPsec transform sets must already exist.
Page 336: Tunnel Remote
Default No local address is configured for an IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ipv6: Specifies an IPv6 address. ip-address: Local address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. The local address, if not configured, will be the address of the interface to which the IPsec policy is applied.
Page 337 ip-address: Remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies. If you execute this command multiple times, the most recent configuration takes effect. An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end.
Page 338: Ike Configuration Commands
IKE configuration commands authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm Default An IKE proposal uses the SHA- 1 authentication algorithm. Views IKE proposal view Default command level...
Page 339: Certificate Domain
Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method. <Sysname> system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] authentication-method pre-share Related commands ike proposal...
Page 340: Display Ike Dpd
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In FIPS mode, group2 (1024-bit Diffie-Hellman group) is used.
Page 341: Display Ike Peer
Parameters dpd-name: DPD name, a string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 342: Display Ike Proposal
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 343 Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 344: Display Ike Sa
• • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 345 Table 49 Command output Field Description total phase-1 SAs Total number of SAs for phase 1. connection-id Identifier of the ISAKMP SA. peer Remote IP address of the SA. Status of the SA: • RD (READY)—The SA has been established. •...
Page 346 remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the connection ID of 2. <Sysname> display ike sa verbose connection-id 2 --------------------------------------------- vpn-instance: 1 transmitting entity: initiator --------------------------------------------- local id type: IPV4_ADDR local id: 4.4.4.4 remote id type: IPV4_ADDR...
Page 347: Dpd
authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO Table 50 Command output Field Description vpn-instance MPLS L3VPN that the protected data belongs to. transmitting entity Entity in the IKE negotiation. local id type Identifier type of the local gateway.
Page 348: Encryption-Algorithm
Default No DPD detector is applied to an IKE peer. Views IKE peer view Default command level 2: System level Parameters dpd-name: DPD detector name, a string of 1 to 32 characters. Examples # Apply dpd1 to IKE peer peer1. <Sysname>...
Page 349: Exchange-Mode
When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends setting the IKE negotiation mode to aggressive at the local end.
Page 350: Ike Dpd
Syntax id-type { ip | name | user-fqdn } undo id-type Default The ID type is IP address. Views IKE peer view Default command level 2: System level Parameters ip: Uses an IP address as the ID during IKE negotiation. name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.
Page 351: Ike Local-Name
Views System view Default command level 2: System level Parameters dpd-name: Name for the DPD detector, a string of 1 to 32 characters. Usage guidelines DPD irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.
Page 352: Ike Next-Payload Check Disabled
Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.
Page 353: Ike Peer (System View)
ike peer (system view) Use ike peer to create an IKE peer and enter IKE peer view. Use undo ike peer to delete an IKE peer. Syntax ike peer peer-name undo ike peer peer-name Views System view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters.
Page 354: Ike Sa Keepalive-Timer Interval
Setting Non-FIPS mode FIPS mode Authentication HMAC-SHA1 algorithm Authentication method Pre-shared key Pre-shared key DH group MODP_768 MODP_1024 SA lifetime 86400 seconds 86400 seconds Examples # Create IKE proposal 10 and enter IKE proposal view. <Sysname> system-view [Sysname] ike proposal 10 [Sysname-ike-proposal-10] Related commands display ike proposal...
Page 355: Ike Sa Keepalive-Timer Timeout
ike sa keepalive-timer timeout Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout. Use undo ike sa keepalive-timer timeout to disable the function. Syntax ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout Default No keepalive packet is sent. Views System view Default command level...
Page 356: Interval-Time
Default command level 2: System level Parameters seconds: NAT keepalive interval in seconds, in the range 5 to 300. Examples # Set the NAT keepalive interval to 5 seconds. <Sysname> system-view [Sysname] ike sa nat-keepalive-timer interval 5 interval-time Use interval-time to set the DPD query triggering interval for a DPD detector. Use undo interval-time to restore the default.
Page 357: Local-Address
Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.
Page 358: Local-Name
[Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default. Syntax local-name name undo local-name Default The device name is used as the name of the local security gateway view. Views IKE peer view Default command level...
Page 359: Peer
Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1. <Sysname> system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] nat traversal peer Use peer to set the subnet type of the peer security gateway for IKE negotiation.
Page 360: Pre-Shared-Key
pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key Views IKE peer view Default command level 2: System level Parameters cipher: Sets a ciphertext pre-shared key.
Page 361: Remote-Address
Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority.
Page 362: Remote-Name
low-ip-address: IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses. high-ip-address: Highest address in the address range if you want to specify a range of addresses. Usage guidelines The IP address configured with the remote-address command must match the local security gateway IP address that the remote security gateway uses for IKE negotiation, which is the IP address configured with...
Page 363: Reset Ike Sa
Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.
Page 364: Sa Duration
<Sysname> display ike sa total phase-1 SAs: connection-id peer flag phase ---------------------------------------------------------- 202.38.0.2 RD|ST IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO——TIMEOUT RK--REKEY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal. Use undo sa duration to restore the default.
Page 365 Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: DPD packet retransmission interval in seconds, in the range 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.
Page 366: Ssh Configuration Commands
SSH configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.
Page 367 Table 51 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval.
Page 368: Display Ssh User-Information
display ssh user-information Use display ssh user-information on an SSH server to display information about SSH users. Syntax display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters.
Page 369: Sftp Server Enable
Related commands ssh user sftp server enable Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. Syntax sftp server enable undo sftp server enable Default The SFTP server function is disabled. Views System view Default command level...
Page 370: Ssh Server Authentication-Retries
Parameters time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791. Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be properly released.
Page 371: Ssh Server Authentication-Timeout
[Sysname] ssh server authentication-retries 4 Related commands display ssh server ssh server authentication-timeout Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server. If a user does not finish the authentication when the timer expires, the connection is down. Use undo ssh server authentication-timeout to restore the default.
Page 372: Ssh Server Enable
Views System view Default command level 3: Manage level Usage guidelines The configuration takes effect only for the clients at next login. Examples # Enable the SSH server to support SSH1 clients. <Sysname> system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate...
Page 373: Ssh User
Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The update interval of the RSA server key is 0. That is, the system does not update the RSA server key pairs. Views System view Default command level 3: Manage level Parameters hours: Specifies an interval for updating the server key pair in hours, in the range of 1 to 24.
Page 374 Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user: all: Specifies Stelnet, SFTP, and SCP. • scp: Specifies the service type as SCP. • • sftp: Specifies the service type as SFTP. stelnet: Specifies the service type of Stelnet.
Page 375: Ssh Client Configuration Commands
publickey authentication or using both publickey authentication and password authentication, the working folder is the one set by using the ssh user command. Examples # Create an SSH user named user1, setting the service type as sftp, the authentication method as publickey, assigning a public key named key1 to the client, and the work folder of the SFTP server as cfa0: <Sysname>...
Page 376: Cdup
Default command level 3: Manage level Parameters remote-path: Specifies a path on the server. If you do not specify this argument, the command displays the current working path. Usage guidelines You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system.
Page 377: Dir
Parameters remote-file&<1- 1 0>: Specifies one or more files to delete on the server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Usage guidelines This command functions as the remove command. Examples # Delete file temp.c from the server.
Page 378: Display Sftp Client Source
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 display sftp client source Use display sftp client source to display the source IP address or source interface set for the SFTP client.
Page 379: Display Ssh Server-Info
Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 380: Exit
When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client. Examples # Display the mappings between SSH servers and their host public keys on the client.
Page 381: Help
Views SFTP client view Default command level 3: Manage level Parameters remote-file: Specifies the name of a file on the SFTP server. local-file: Specifies the name for the local file. Usage guidelines If you do not specify the local-file argument, the file will be saved locally with the same name as that on the SFTP server.
Page 382: Mkdir
Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Default command level 3: Manage level Parameters -a: Displays the filenames and the folder names of the specified directory. -l: Displays in a list form detailed information of the files and folders of the specified directory. remote-path: Specifies the directory to be queried.
Page 383: Put
Examples # Create a directory named test on the SFTP server. sftp-client> mkdir test New directory created Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Default command level 3: Manage level Parameters local-file: Specifies the name of a local file.
Page 384: Quit
quit Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Default command level 3: Manage level Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server.
Page 385: Rename
File successfully Removed rename Use rename to change the name of a specified file or directory on an SFTP server. Syntax rename oldname newname Views SFTP client view Default command level 3: Manage level Parameters oldname: Specifies the name of an existing file or directory. newname: Specifies a new name for the file or directory.
Page 386 Syntax In non-FIPS mode: scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *...
Page 387: Sftp
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode. md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode. •...
Page 388 Syntax In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * In FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher...
Page 389: Sftp Client Ipv6 Source
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode, and is dh-group14 in FIPS mode. dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. • This keyword is not available in FIPS mode. dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.This keyword is not •...
Page 390: Sftp Client Source
Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.
Page 391: Sftp Ipv6
Usage guidelines To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.
Page 392 rsa: Specifies the public key algorithm rsa. • prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. • prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. 3des: Specifies the encryption algorithm 3des-cbc.
Page 393: Ssh Client Authentication Server
The preferred client-to-server HMAC algorithm is sha1-96. • • The preferred key exchange algorithm is dh-group14. The preferred server-to-client encryption algorithm is aes128. • The preferred server-to-client HMAC algorithm is sha1-96. • Examples # Connect to server 2:5::8:9, using the following connection scheme: The preferred key exchange algorithm: dh-group1.
Page 394: Ssh Client First-Time Enable
<Sysname> system-view [Sysname] ssh client authentication server 192.168.0.1 assign publickey key1 Related commands ssh client first-time enable ssh client first-time enable Use ssh client first-time enable to enable the first-time authentication function. Use undo ssh client first-time to disable the function. Syntax ssh client first-time enable undo ssh client first-time...
Page 395: Ssh Client Source
Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.
Page 396: Ssh2
Usage guidelines To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.
Page 397 prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm zlib@openssh.com. • prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. •...
Page 398: Ssh2 Ipv6
The preferred key exchange algorithm is dh-group14. • • The preferred server-to-client encryption algorithm is aes128. The preferred server-to-client HMAC algorithm is sha1-96. • Examples # Log in to Stelnet server 10.214.50.51, using the following connection scheme: • The preferred key exchange algorithm: dh-group1. The preferred server-to-client encryption algorithm: aes128.
Page 399 prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used. zlib: Specifies the compression algorithm ZLIB. • zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com. • prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode. •...
Page 400 The preferred key exchange algorithm is dh-group14. • • The preferred server-to-client encryption algorithm is aes128. The preferred server-to-client HMAC algorithm is sha1-96. • Examples # Log in to Stelnet server 2000::1, using the following connection scheme: • The preferred key exchange algorithm: dh-group1. The preferred server-to-client encryption algorithm: aes128.
Page 401: Ssl Configuration Commands
SSL configuration commands The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The following matrix shows the commands and router compatibility: Command 6602...
Page 402: Client-Verify Enable
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA. rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5. rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA.
Page 403: Client-Verify Weaken
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] client-verify enable Related commands client-verify weaken • display ssl server-policy • client-verify weaken Use client-verify weaken to enable SSL client weak authentication. Use undo client-verify weaken to restore the default. Syntax client-verify weaken undo client-verify weaken Default SSL client weak authentication is disabled.
Page 404: Close-Mode Wait
close-mode wait Use close-mode wait to set the SSL connection close mode to wait mode. In this mode, after sending a close-notify alert message to a client, the server does not close the connection until it receives a close-notify alert message from the client. Use undo close-mode wait to restore the default.
Page 405: Display Ssl Server-Policy
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about SSL client policy policy1. <Sysname>...
Page 406: Handshake Timeout
Examples # Display information about SSL server policy policy1. <Sysname> display ssl server-policy policy1 SSL Server Policy: policy1 PKI Domain: domain1 Ciphersuite: RSA_RC4_128_MD5 RSA_RC4_128_SHA RSA_DES_CBC_SHA RSA_3DES_EDE_CBC_SHA RSA_AES_128_CBC_SHA RSA_AES_256_CBC_SHA Handshake Timeout: 3600 Close-mode: wait disabled Session Timeout: 3600 Session Cachesize: 500 Client-verify: disabled Client-verify weaken: disabled Table 56 Command output...
Page 407: Pki-Domain
Syntax handshake timeout time undo handshake timeout Default The handshake timeout time is 3600 seconds. Views SSL server policy view Default command level 2: System level Parameters time: Handshake timeout time in seconds. The value range is 180 to 7200. Usage guidelines If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL server terminates the handshake process.
Page 408: Prefer-Cipher
Usage guidelines If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a certificate for itself rather than obtaining one from a CA server. Examples # Configure SSL server policy policy1 to use PKI domain server-domain. <Sysname>...
Page 409: Server-Verify Enable
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
Page 410: Session
Related commands display ssl client-policy session Use session to set the maximum number of cached sessions and the caching timeout time. Use undo session to restore the default. Syntax session { cachesize size | timeout time } * undo session { cachesize | timeout } * Default The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds.
Page 411: Ssl Server-Policy
Syntax ssl client-policy policy-name undo ssl client-policy { policy-name | all } Views System view Default command level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all. all: Specifies all SSL client policies.
Page 412: Version
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] Related commands display ssl server-policy version Use version to specify the SSL protocol version for an SSL client policy. Use undo version to restore the default. Syntax In non-FIPS mode: version { ssl3.0 | tls1.0 } undo version In FIPS mode: version tls1.0...
Page 413: Ssl Vpn Configuration Commands
SSL VPN configuration commands The following matrix shows the command and router compatibility: Command 6602 HSR6602 6604/6608/6616 SSL VPN commands Yes on routers with MCP MPU ssl-vpn enable Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. Syntax ssl-vpn enable undo ssl-vpn enable...
Page 414 Use undo ssl-vpn server-policy to restore the default. Syntax ssl-vpn server-policy server-policy-name [ port port-number ] undo ssl-vpn server-policy Default No SSL server policy is specified for the SSL VPN service. Views System view Default command level 2: System level Parameters server-policy-name: Name of the SSL server policy, a case-insensitive string of 1 to 16 characters.
Page 415: Firewall Configuration Commands
Firewall configuration commands Packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 416: Display Firewall-Statistics
Table 57 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. Indicates that an IPv6 ACL is configured in the inbound direction In-bound Policy of the interface. Indicates that an IPv6 ACL is configured in the outbound Out-bound Policy direction of the interface.
Page 417: Firewall Default
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display packet filtering statistics on all interfaces. <Sysname>...
Page 418: Firewall Ipv6 Default
Syntax firewall enable { all | slot slot-number } undo firewall enable Default The IPv4 firewall function is disabled. Views System view Default command level 2: System level Parameters all: Specifies that the configuration applies to all interface cards. slot slot-number: Specifies that the configuration applies to the interface card in the specified slot. The following matrix shows the all keyword, the slot slot-number option, and hardware compatibility: Hardware Compatibility...
Page 419: Firewall Ipv6 Enable
Examples # Specify the default filtering action of the IPv6 firewall as denying packets to pass. <Sysname> system-view [Sysname] firewall ipv6 default deny firewall ipv6 enable Use firewall ipv6 enable to enable the IPv6 firewall function. Use undo firewall ipv6 enable to disable the IPv6 firewall function. Syntax firewall ipv6 enable undo firewall ipv6 enable...
Page 420: Firewall Packet-Filter Ipv6
name acl-name: Specifies the name of a basic or advanced IPv4 ACL; a case-insensitive string of 1 to 63 characters that must start with an English letter a to z or A to Z. To avoid confusion, the word "all" cannot be used as the ACL name.
Page 421: Reset Firewall Ipv6 Statistics
[Sysname-GigabitEthernet3/0/1] firewall packet-filter ipv6 2500 outbound reset firewall ipv6 statistics Use reset firewall ipv6 statistics to clear the packet filtering statistics of the IPv6 firewall. Syntax reset firewall ipv6 statistics { all | interface interface-type interface-number } Views User view Default command level 1: Monitor level Parameters...
Page 422: Aspf Configuration Commands
ASPF configuration commands aspf-policy Use aspf-policy to create an ASPF policy and enter its view. Use undo aspf-policy to remove an ASPF policy. Syntax aspf-policy aspf-policy-number undo aspf-policy aspf-policy-number Views System view Default command level 2: System level Parameters aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99. Usage guidelines A defined ASPF policy can be applied through its policy number.
Page 423: Display Aspf Interface
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display information about all ASPF policies. <Sysname> display aspf all [ASPF Policy Configuration] Policy Number 1: icmp-error drop tcp syn-check Policy Number 2: undo icmp-error drop undo tcp syn-check [Interface Configuration] Interface...
Page 424: Display Aspf Policy
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 425: Display Port-Mapping
<Sysname> display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: icmp-error drop tcp syn-check Table 60 Command output Field Description [ASPF Policy Configuration] ASPF policy configuration information. Policy Number ASPF policy number. icmp-error drop Drop ICMP error messages. Drop non-SYN packet that is the first packet over a tcp syn-check TCP connection.
Page 426: Firewall Aspf
h323 1720 system defined http system defined rtsp system defined smtp system defined system defined https system defined 18000 system defined system defined Table 61 Command output Field Description SERVICE Application layer protocol that is mapped to a port. PORT Number of the port for the application layer protocol.
Page 427: Icmp-Error Drop
icmp-error drop Use icmp-error drop to specify to drop ICMP error messages. Use undo icmp-error drop to restore the default. Syntax icmp-error drop undo icmp-error drop Default ICMP error messages are not dropped. Views ASPF policy view Default command level 2: System level Examples # Configure ASPF policy 1 to drop ICMP error messages.
Page 428: Tcp Syn-Check
acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999. Examples # Map port 3456 to the FTP protocol. <Sysname> system-view [Sysname] port-mapping ftp port 3456 Related commands display port-mapping tcp syn-check Use tcp syn-check to specify to drop any non-SYN packet that is the first packet over a TCP connection.
Page 429: Alg Configuration Commands
ALG configuration commands Use alg to enable ALG for a protocol. Use undo alg to disable ALG for a protocol. Syntax alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } undo alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Default The ALG feature is enabled for all protocols.
Page 430 # Disable ALG for DNS. <Sysname> system-view [Sysname] undo alg dns...
Page 431: Session Management Commands
Session management commands application aging-time Use application aging-time to set the aging timer for the sessions of an application layer protocol. Use undo application aging-time to restore the default. Syntax application aging-time { dns | ftp | msn | qq | sip } time-value undo application aging-time [ dns | ftp | msn | qq | sip ] Default The default session aging times for the application layer protocols vary with device models.
Page 432: Display Application Aging-Time
display application aging-time Use display application aging-time to display the session aging timers for the application layer protocols. Syntax display application aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Page 433: Display Session Hardware
Syntax display session aging-time [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Page 434: Display Session Relation-Table
Syntax display session hardware slot slot-number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters slot slot-number: Displays the session count on the specified card. The slot-number argument represents the number of the slot where the card resides.
Page 435 Parameters slot slot-number: Displays the relationship table entries on the specified card. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 HSR6602 6604/6608/6616 |: Filters command output by specifying a regular expression.
Page 436: Display Session Statistics
Field Description Remaining lifetime of the relationship table entry, in seconds. AllowConn Number of sessions allowed by the relationship table entry. Total find Total number of found relationship table entries. display session statistics Use display session statistics to display statistics for the sessions. Syntax display session statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views...
Page 437 Current TCP session(s): 0 Half-Open: 0 Half-Close: 0 Current UDP session(s): 593951 Current ICMP session(s): 0 Current RAWIP session(s): 0 Current relation table(s): 50000 Session establishment rate: 184503/s Session establishment rate: Session establishment rate: 184503/s ICMP Session establishment rate: RAWIP Session establishment rate: Received TCP:...
Page 438: Display Session Table
Field Description Dropped TCP Counts of dropped TCP packets and bytes. Dropped UDP Counts of dropped UDP packets and bytes. Dropped ICMP Counts of dropped ICMP packets and bytes. Dropped RAWIP Counts of dropped Raw IP packets and bytes. display session table Use display session table to display information about sessions.
Page 439 If no slot number is specified, the command displays the sessions on all cards. If multiple keywords are specified, the command displays the sessions that match all these criteria. This command is not supported by the SPE-FWM-200, SPE-IPS-200, SPE-ACG-200, and FIP600 cards. Examples # Display brief information about all sessions.
Page 440: Reset Session
Total find: 2 Table 66 Command output Field Description Initiator: Session information of the initiator. Responder: Session information of the responder. Transport layer protocol, TCP, UDP, ICMP, or Raw IP.. MPLS L3VPN that the session belongs to and the VLAN VPN-Instance/VLAN ID/VLL ID and INLINE that the session belongs to during Layer 2 forwarding.
Page 441: Reset Session Statistics
Views User view Default command level 2: System level Parameters slot slot-number: Clears the sessions on the specified card. The slot-number argument represents the number of the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602...
Page 442: Session Aging-Time
Default command level 2: System level Parameters slot slot-number: Clears the session statistics on the specified card. The slot-number argument specifies the slot where the card resides. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 HSR6602 6604/6608/6616...
Page 443: Session Checksum
rawip-open: Specifies the aging timer for the sessions in the RAWIP_OPEN state. rawip-ready: Specifies the aging timer for the sessions in the RAWIP_READY state. syn: Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state. tcp-est: Specifies the aging timer for the TCP sessions in the ESTABLISHED state. udp-open: Specifies the aging timer for the UDP sessions in the OPEN state.
Page 444: Session Early-Ageout
Default command level 2: System level Parameters all: Enables checksum verification for TCP, UDP, and ICMP packets. icmp: Enables checksum verification for ICMP packets. tcp: Enables checksum verification for TCP packets. udp: Enables checksum verification for UDP packets. Examples # Enable checksum verification for UDP packets. <Sysname>...
Page 445: Session Log Bytes-Active
If the difference between the session aging time and the value specified by the shorten-time argument is less than 5 seconds, the session aging time becomes 5 seconds. Examples # Configure the session aging time to shorten by 100 seconds when the session ratio exceeds 80 percent, and to restore the normal values when the session ratio equals or drops below 20 percent.
Page 446: Session Log Packets-Active
Default command level 2: System level Parameters acl acl-number: Specifies the ACL to be used to match sessions for logging. The value range for the acl-number argument is 2000 to 3999. Inbound: Specifies session logs in the inbound direction. outbound: Specifies session logs in the outbound direction. Usage guidelines If you do not specify the acl acl-number option, the command enables session logging for all sessions on the interface.
Page 447: Session Log Time-Active
Examples # Set the packet count threshold for session logging to 10 mega-packets. <Sysname> system-view [Sysname] session log packets-active 10 session log time-active Use session log time-active to set the holdtime threshold for session logging. Use undo session log time-active to remove the setting. Syntax session log time-active time-value undo session log time-active...
Page 448: Session Persist Acl
Parameters max-entries: Specifies the maximum number of sessions. The value range is 1 to 10000000. slot slot-number: Specifies a slot. The following matrix shows the slot slot-number option and hardware compatibility: Hardware Compatibility 6602 HSR6602 6604/6608/6616 Usage guidelines For distributed devices, you can set the maximum number of sessions based on slots. The maximum number should not exceed the session count specification of a device or a card.
Page 449 A persistent session rule can reference only one ACL. Examples # Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours. <Sysname> system-view [Sysname] session persist acl 2000 aging-time 72 Related commands reset session...
Page 450: Connection Limit Configuration Commands
Connection limit configuration commands connection-limit apply policy Use connection-limit apply policy to apply a connection limit policy to the NAT module. Use undo connection-limit apply policy to remove the application. Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number Views System view Default command level...
Page 451: Display Connection-Limit Policy
Default command level 2: System level Parameters policy-number: Specifies the number of a connection limit policy. The value is 0. Usage guidelines A connection limit policy contains a set of rules for limiting the number of connections of a specific user. A policy number uniquely identifies a connection limit policy.
Page 452: Limit
limit 0 source ip 3.3.3.0 24 source-vpn vpn1 destination ip any protocol tcp max-connections 200 per-source Table 67 Command output Field Description Connection-limit policy Number of the connection limit policy. refcount 0, 1 limits Number of times that the policy is applied and number of rules in the policy. limit xxx Rule in the policy.
Page 453 The connection limit rules in a policy are matched in ascending order of rule ID. Take the match order into consideration when assigning the rules IDs. HP recommends that you arrange the rule by limit granularity and limit range in ascending order.
Page 454: Web Filtering Configuration Commands
Web filtering configuration commands display firewall http activex-blocking Use display firewall http activex-blocking to display information about ActiveX blocking. Syntax display firewall http activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 455: Display Firewall Http Java-Blocking
---------------------------------------------- .OCX .vbs Table 68 Command output Field Description Serial number. Match-Times Number of times that a suffix keyword is matched. Keywords ActiveX blocking suffix keyword. # Display detailed ActiveX blocking information. <Sysname> display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured.
Page 456: Display Firewall Http Url-Filter Host
Examples # Display brief information about Java blocking. <Sysname> display firewall http java-blocking Java blocking is enabled. # Display Java blocking information for a specific suffix keyword. <Sysname> display firewall http java-blocking item .class The HTTP request packet including ".class" had been matched for 10 times. # Display Java blocking information for all suffix keywords.
Page 457 item keywords: Specifies a filtering keyword, The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). For meanings and usage guidelines of the wildcards, see the relevant description for command firewall http url-filter host url-address.
Page 458: Display Firewall Http Url-Filter Parameter
Table 71 Command output Field Description Default method Default URL address filtering action, permit or deny. The support for IP address Support for website IP addresses, permit or deny. display firewall http url-filter parameter Use display firewall http url-filter parameter to display information about URL parameter filtering. Syntax display firewall http url-filter parameter [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ]...
Page 459: Firewall Http Activex-Blocking Acl
# Display URL parameter filtering information for all keywords. <Sysname> display firewall http url-filter parameter all Match-Times Keywords ---------------------------------------------- ^select$ ^insert$ ^update$ ^delete$ ^drop$ ‘ ^exec$ qqqqq Table 72 Command output Field Description Serial number. Match-Times Number of times that the keyword has been matched. Keywords URL parameter filtering keyword.
Page 460: Firewall Http Activex-Blocking Enable
Usage guidelines After the command takes effect, all web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the ACL. You can specify multiple ACLs for ActiveX blocking, but only the last one takes effect. You can specify a non-existing ACL, but ActiveX blocking based on the ACL takes effect only after you create and configure the ACL correctly.
Page 461: Firewall Http Java-Blocking Acl
Syntax firewall http activex-blocking suffix keywords undo firewall http activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of 5 ActiveX blocking suffix keywords.
Page 462: Firewall Http Java-Blocking Enable
You can specify multiple ACLs for Java blocking, but only the last one takes effect. You can specify a non-existing ACL, but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly. Examples # Specify the ACL for Java blocking as ACL 2002.
Page 463: Firewall Http Url-Filter Host Acl
Views System view Default command level 2: System level Parameters keywords: Blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of five Java blocking suffix keywords.
Page 464: Firewall Http Url-Filter Host Default
Examples # Specify URL address filtering to permit web requests with website IP addresses permitted by ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.0 [Sysname-acl-basic-2000] quit [Sysname] firewall http url-filter host acl 2000 Related commands display firewall http url-filter host firewall http url-filter host default...
Page 465: Firewall Http Url-Filter Host Ip-Address
Default The URL address filtering function is disabled. Views System view Default command level 2: System level Examples # Enable the URL address filtering function. <Sysname> system-view [Sysname] firewall http url-filter host enable Related commands display firewall http url-filter host firewall http url-filter host ip-address Use firewall http url-filter host ip-address to enable/disable support for IP address in URL address filtering, that is, to permit or deny web requests using IP addresses for access to websites.
Page 466: Firewall Http Url-Filter Host Url-Address
firewall http url-filter host url-address Use firewall http url-filter host url-address to add a URL address filtering entry and set the filtering action. Use undo firewall http url-filter host url-address to remove one or all URL address filtering entries. Syntax firewall http url-filter host url-address { deny | permit } url-address undo firewall http url-filter host url-address [ url-address ] Views...
Page 467: Firewall Http Url-Filter Parameter
A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can • define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. HP recommends that you use exact match to filter numeral website addresses.
Page 468: Firewall Http Url-Filter Parameter Enable
Wildcard Meaning Usage guidelines Matches parameters ending with It can be present once at the end of the keyword a filtering entry. It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an &...
Page 469: Reset Firewall Http
Views System view Default command level 2: System level Examples # Enable the URL parameter filtering function. <Sysname> system-view [Sysname] firewall http url-filter parameter enable Related commands display firewall http url-filter parameter reset firewall http Use reset firewall http to clear web filtering statistics. Syntax reset firewall http { activex-blocking | java-blocking | url-filter host | url-filter parameter } counter Views...
Page 470: Attack Detection And Protection Configuration Commands
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to an interface. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to an interface.
Page 471: Attack-Defense Policy
Syntax attack-defense logging enable undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default command level 2: System level Examples # Enable attack protection logging. <Sysname> system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to remove an attack protection policy.
Page 472: Blacklist Enable
Related commands display attack-defense policy blacklist enable Use blacklist enable to enable the blacklist function. Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to...
Page 473: Defense Icmp-Flood Action Drop-Packet
Default command level 2: System level Parameters source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time, and the value range is 1 to 1000, in minutes.
Page 474: Defense Icmp-Flood Enable
Related commands defense icmp-flood enable • defense icmp-flood ip • • defense icmp-flood rate-threshold display attack-defense policy • defense icmp-flood enable Use defense icmp-flood enable to enable ICMP flood attack protection. Use undo defense icmp-flood enable to restore the default. Syntax defense icmp-flood enable undo defense icmp-flood enable...
Page 475: Defense Icmp-Flood Rate-Threshold
Default No ICMP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
Page 476: Defense Scan Add-To-Blacklist
Syntax defense icmp-flood rate-threshold high rate-number [ low rate-number ] undo defense icmp-flood rate-threshold Default The global action threshold is 1000 packet per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for ICMP flood attack protection.
Page 477 Syntax defense scan add-to-blacklist undo defense scan add-to-blacklist Default The blacklist function for scanning attack protection is not enabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold.
Page 478: Defense Scan Blacklist-Timeout
defense scan max-rate • defense scan blacklist-timeout Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack protection. Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes. Syntax defense scan blacklist-timeout minutes undo defense scan blacklist-timeout Views Attack protection policy view...
Page 479: Defense Scan Max-Rate
Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address. If the connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate command), the device considers the IP address a scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less than the threshold.
Page 480: Defense Syn-Flood Action
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan enable # Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second. [Sysname-attack-defense-policy-1] defense scan max-rate 2000 Related commands blacklist enable • • defense scan add-to-blacklist defense scan blacklist-timeout •...
Page 481: Defense Syn-Flood Enable
defense syn-flood enable Use defense syn-flood enable to enable SYN flood attack protection. Use undo defense syn-flood enable to restore the default. Syntax defense syn-flood enable undo defense syn-flood enable Default SYN flood attack protection is disabled. Views Attack protection policy view Default command level 2: System level Examples...
Page 482: Defense Syn-Flood Rate-Threshold
high rate-number: Sets the action threshold for SYN flood attack protection of the specified IP address. The rate-number argument indicates the number of SYN packets sent to the specified IP address per second and is in the range of 1 to 64000. With SYN flood attack protection enabled, the device enters attack detection state.
Page 483: Defense Udp-Flood Action Drop-Packet
Parameters high rate-number: Sets the global action threshold for SYN flood attack protection. The rate-number argument indicates the number of SYN packets sent to an IP address per second and is in the range of 1 to 64000. With the SYN flood attack protection enabled, the device enters attack detection state. When the device detects that the sending rate of SYN packets destined for an IP address constantly reaches or exceeds the specified action threshold, the device considers the IP address to be under attack, enters attack protection state, and takes protection actions as configured.
Page 484: Defense Udp-Flood Enable
Examples # Configure attack protection policy 1 to drop UDP flood packets. <Sysname> system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood action drop-packet Related commands defense udp-flood enable • defense udp-flood ip • defense udp-flood rate-threshold • • display attack-defense policy defense udp-flood enable Use defense udp-flood enable to enable UDP flood attack protection.
Page 485 Syntax defense udp-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense udp-flood ip ip-address [ rate-threshold ] Default No UDP flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected.
Page 486: Defense Udp-Flood Rate-Threshold
defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not configure attack protection parameters specifically. Use undo defense udp-flood rate-threshold to restore the default.
Page 487: Display Attack-Defense Policy
defense udp-flood enable • • display attack-defense policy display attack-defense policy Use display attack-defense policy to display configuration information about one or all attack protection policies. Syntax display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 488 Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet -------------------------------------------------------------------------- ICMP flood attack-defense : Enabled ICMP flood action : Syslog ICMP flood high-rate : 2000 packets/s ICMP flood low-rate : 750 packets/s ICMP flood attack-defense for specific IP addresses: High-rate(packets/s) Low-rate(packets/s)
Page 489 Filed Description WinNuke attack-defense Indicates whether WinNuke attack protection is enabled. LAND attack-defense Indicates whether Land attack protection is enabled. Source route attack-defense Indicates whether Source Route attack protection is enabled. Route record attack-defense Indicates whether Route Record attack protection is enabled. Scan attack-defense Indicates whether scanning attack protection is enabled.
Page 490: Display Attack-Defense Statistics Interface
None GigabitEthernet3/0/2 Related commands attack-defense policy display attack-defense statistics interface Use display attack-defense statistics interface to display the attack protection statistics of an interface. Syntax display attack-defense statistics interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 491 Route record packets dropped : 100 Source route attacks Source route packets dropped : 100 Smurf attacks Smurf packets dropped : 100 TCP flag attacks TCP flag packets dropped : 100 Tracert attacks Tracert packets dropped : 100 WinNuke attacks WinNuke packets dropped : 100 Scan attacks...
Page 492: Display Blacklist
Field Description Tracert attacks Number of detected Tracert attacks. Tracert packets dropped Number of Tracert packets dropped. WinNuke attacks Number of detected WinNuke attacks. WinNuke packets dropped Number of WinNuke packets dropped. Scan attacks Number of detected scanning attacks. Scan attack packets dropped Number of scanning attack packets dropped.
Page 493 Option 6602 HSR6602 6604/6608/6616 slot slot-number |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 494: Display Flow-Statistics Statistics
Related commands blacklist enable • blacklist ip • display flow-statistics statistics Use display flow-statistics statistics to display traffic statistics on interfaces based on IP addresses. Syntax display flow-statistics statistics [ slot slot-number ] { destination-ip dest-ip-address | source-ip src-ip-address } [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level...
Page 495: Display Flow-Statistics Statistics Interface
----------------------------------------------------------- IP Address 192.168.1.2 ----------------------------------------------------------- Total number of existing sessions Session establishment rate 10/s TCP sessions Half-open TCP sessions Half-close TCP sessions TCP session establishment rate 10/s UDP sessions UDP session establishment rate 10/s ICMP sessions ICMP session establishment rate 10/s RAWIP sessions RAWIP session establishment rate...
Page 496 Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. inbound: Displays traffic statistics in the inbound direction of an interface. outbound: Displays traffic statistics in the outbound direction of an interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 497: Display Tcp-Proxy Protected-Ip
Field Description UDP session establishment rate UDP connection establishment rate. ICMP sessions Number of ICMP connections. ICMP session establishment rate ICMP connection establishment rate. RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate. display tcp-proxy protected-ip Use display tcp-proxy protected-ip to display information about IP addresses protected by the TCP proxy function.
Page 498: Flow-Statistics Enable
Field Description Type of the protected IP address. Dynamic indicates that the entry was Type dynamically added by the device. Remaining lifetime of the entry. If the value of this field is 0, the entry is Lifetime(min) deleted. Number of packets matching this entry that have been dropped by the Rejected packets TCP proxy function.
Page 499: Reset Attack-Defense Statistics Interface
reset attack-defense statistics interface Use reset attack-defense statistics interface to clear the attack protection statistics of an interface. Syntax reset attack-defense statistics interface interface-type interface-number Views User view Default command level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. Examples # Clear the attack protection statistics of interface GigabitEthernet 3/0/1.
Page 500: Signature-Detect Action Drop-Packet
route-record: Specifies the route record packet attack. smurf: Specifies the Smurf packet attack. source-route: Specifies the source route packet attack. tcp-flag: Specifies the TCP flag packet attack. tracert: Specifies the Tracert packet attack. winnuke: Specifies the Winnuke packet attack. Examples # Enable signature detection of Fraggle attack in attack protection policy 1.
Page 501: Tcp-Proxy Enable
Syntax signature-detect large-icmp max-length length undo signature-detect large-icmp max-length Default An ICMP packet length of 4000 bytes triggers large ICMP attack protection. Views Attack protection policy view Default command level 2: System level Parameters length: Maximum length of an ICMP packet, in the range of 28 to 65534 bytes. Usage guidelines With signature detection of large ICMP attack enabled, a device considers all ICMP packets longer than the specified maximum length as large ICMP attack packets.
Page 502: Tcp-Proxy Mode
Default command level 2: System level Usage guidelines Usually, the TCP proxy function is used on a device's interfaces connected to external networks to protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection actions configured by using the defense syn-flood action command.
Page 503 Related commands tcp-proxy enable • display tcp-proxy protected-ip •...
Page 504: Tcp Attack Protection Configuration Commands
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters...
Page 505: Tcp State
Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled.
Page 506: Tcp Syn-Cookie Enable
last-ack: LAST_ACK state of a TCP connection. syn-received: SYN_RECEIVED state of a TCP connection. connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Usage guidelines You need to enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted.
Page 507 Use undo tcp timer check-state to restore the default. Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.
Page 508: Ip Source Guard Configuration Commands
IP source guard configuration commands IP source guard configuration commands are available only for SAP interface modules operating in Layer 2 mode. display ip source binding Use display ip source binding to display IPv4 source guard entries. Syntax display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Views Any view...
Page 509: Ip Source Binding
<Sysname> display ip source binding Total entries found: 5 MAC Address IP Address VLAN Interface Type 040a-0000-4000 10.1.0.9 GE3/0/1 Static 040a-0000-3000 10.1.0.8 GE3/0/1 DHCP-SNP 040a-0000-2000 10.1.0.7 GE3/0/1 DHCP-SNP 040a-0000-1000 10.1.0.6 GE3/0/2 DHCP-RLY 040a-0000-0000 GE3/0/2 DHCP-RLY # Display all static IPv4 source guard entries. <Sysname>...
Page 510: Ip Verify Source
Default No static IPv4 binding entry exists on a port. Views Layer 2 Ethernet interface view Default command level 2: System level Parameters ip-address ip-address: Specifies the IPv4 address for the static binding entry. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address. mac-address mac-address: Specifies the MAC address for the static binding in the format H-H-H.
Page 511: Ip Verify Source Max-Entries
Parameters ip-address: Binds source IPv4 addresses to the port. ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. mac-address: Binds source MAC addresses to the port. Usage guidelines After you enable the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries or the DHCP-relay entries, and all static IPv4 source guard entries on the port become effective.
Page 512 Parameters number: Maximum number of IPv4 source guard entries allowed on a port, in the range of 0 to 256. Usage guidelines If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected.
Page 513: Arp Attack Protection Configuration Commands
ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP black hole routing is disabled.
Page 514: Arp Source-Suppression Limit
Examples # Enable the ARP source suppression function. <Sysname> system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.
Page 515: Arp Packet Rate Limit Configuration Commands
Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 516: Arp Packet Source Mac Consistency Check Configuration Commands
Parameters disable: Disables ARP packet rate limit. rate pps: ARP packet rate in pps, in the range of 5 to 8192. drop: Discards the exceeded packets. slot slot-number: Specifies the slot number of the card. The following matrix shows the option and router compatibility: Option 6602 HSR6602...
Page 517: Arp Active Acknowledgement Configuration Commands
[Sysname] arp anti-attack valid-check enable ARP active acknowledgement configuration commands arp anti-attack active-ack enable Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function. Use undo arp anti-attack active-ack enable to restore the default. Syntax arp anti-attack active-ack enable undo arp anti-attack active-ack enable Default The ARP active acknowledgement function is disabled.
Page 518: Arp Detection Configuration Commands
Default Authorized ARP is not enabled on the interface. Views Layer 3 Ethernet interface view Default command level 2: System level Examples # Enable authorized ARP on GigabitEthernet 3/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp authorized enable ARP detection configuration commands NOTE: The commands of this feature are supported only when SAP modules operate in bridge mode.
Page 519: Arp Detection Enable
ip-address: Matches a sender IP address. • • ip-address-mask: Specifies the mask for the sender IP address in dotted decimal format. If no mask is specified, the ip-address argument specifies a host IP address. mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address range. any: Matches any sender MAC address.
Page 520: Arp Detection Trust
arp detection trust Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default The port is an ARP untrusted port. Views Layer 2 Ethernet interface view Default command level...
Page 521: Arp Restricted-Forwarding Enable
ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests are checked.
Page 522: Display Arp Detection Statistics
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 523: Reset Arp Detection Statistics
GE3/0/1(U) GE3/0/2(U) GE3/0/3(T) GE3/0/4(U) Table 84 Command output Field Description Interface(State) State T or U identifies a trusted or untrusted port. Number of ARP packets discarded due to invalid source and destination IP addresses. Number of ARP packets discarded due to invalid source MAC Src-MAC address.
Page 524: Arp Scan
Syntax arp fixup Views System view Default command level 2: System level Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports.
Page 525: Arp Gateway Protection Configuration Commands
range contains multiple network segments, the sender IP address in the ARP request is the interface address on the smallest network segment. If no address range is specified, the device only scans the network where the primary IP address of the interface resides for neighbors.
Page 526: Arp Filtering Configuration Commands
Parameters ip-address: IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on a port. You cannot configure both arp filter source and arp filter binding commands on a port. Examples # Enable ARP gateway protection for the gateway with IP address 1.1.1.1.
Page 527 <Sysname> system-view [Sysname] interface gigabitethernet 3/0/1 [Sysname-GigabitEthernet3/0/1] arp filter binding 1.1.1.1 2-2-2...
Page 528: Nd Attack Defense Configuration Commands
ND attack defense configuration commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.
Page 529: Urpf Configuration Commands
URPF configuration commands ip urpf Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled.
Page 530: Fips Configuration Commands
FIPS configuration commands display fips status Use display fips status to display the current FIPS mode state. Syntax display fips status Views Any view Default command level 1: Monitor level Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled Related commands fips mode enable...
Page 531: Fips Self-Test
Enable FIPS mode. Enable the password control function. Configure the username and password to log in to the device in FIPS mode. The password must comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. Delete all MD5-based digital certificates.
Page 532 Default command Level 3: Manage level Usage guidelines To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. Examples # Trigger a self-test on the cryptographic algorithms.
Page 533: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 534: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 535 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 536: Index
Index A B C D E F G H I K L M N O P Q R S T U V W attribute,246 attribute 25 car,58 aaa nas-id profile,1 authentication default,10 access-limit,41 authentication dvpn,1 1 access-limit enable,1 authentication lan-access,12 access-user detect,156 authentication...
Page 537 ciphersuite,388 display attack-defense statistics interface,477 client-verify enable,389 display blacklist,479 client-verify weaken,390 display connection,27 close-mode wait,391 display connection-limit policy,438 common-name,251 display domain,31 connection-limit apply policy,437 display dot1x,120 connection-limit policy,437 display fips status,517 connection-name,273 display firewall http activex-blocking,441 country,252 display firewall http java-blocking,442 check,252 display firewall http url-filter...
Page 538 display port-security,190 dot1x re-authenticate,138 display port-security mac-address block,193 dot1x retry,139 display port-security mac-address security,195 dot1x supp-proxy-check,140 display public-key local public,234 dot1x timer,141 display public-key peer,235 dot1x timer ead-timeout,145 display radius scheme,59 dot1x unicast-trigger,142 display radius statistics,62 dot1x url,146 display session aging-time,419 dpd,334 display session...
Page 539 group,50 key (HWTACACS scheme view),104 group-attribute allow-guest,51 key (RADIUS scheme view),70 handshake timeout,393 ldap-server,260 help,368 limit,439 hwtacacs nas-ip,103 local,343 hwtacacs scheme,104 local-address,344 locality,261 local-name,345 icmp-error drop,414 local-user,51 idle-cut enable,35 ls,368 id-type,336 dpd,337 local-name,338 mac-authentication,150 ike next-payload check disabled,339 mac-authentication domain,151 ike peer (system view),340 mac-authentication...
Page 540 password-control login idle-time,225 port-security max-mac-count,202 password-control login-attempt,225 port-security ntk-mode,203 password-control password update interval,227 port-security oui,204 password-control super aging,227 port-security port-mode,205 password-control super composition,228 port-security timer autolearn aging,207 password-control super length,229 port-security timer disableport,207 peer,346 port-security trap,208 peer-public-key end,237 prefer-cipher,395 pfs,305 pre-shared-key,347 pki certificate access-control-policy,263...
Page 541 reset firewall-statistics,408 self-service-url enable,39 reset hwtacacs statistics,109 server-type,90 reset ike sa,350 server-verify enable,396 reset ipsec sa,307 service-type,54 reset ipsec statistics,308 session,397 reset mac-authentication statistics,155 session aging-time,429 reset password-control blacklist,230 session checksum,430 reset password-control history-record,230 session early-ageout,431 reset portal connection statistics,188 session log bytes-active,432 reset portal server...
Page 542 stop-accounting-buffer enable (HWTACACS scheme timer response-timeout (RADIUS scheme view),95 view),1 15 transform,321 stop-accounting-buffer enable (RADIUS scheme transform-set,321 view),92 tunnel local,322 Subscription service,520 tunnel remote,323 tcp anti-naptha enable,491 user-group,55 state,492 user-name-format (HWTACACS scheme view),1 18 syn-check,415 user-name-format (RADIUS scheme view),96 tcp syn-cookie enable,493 user-profile,21 1 tcp timer...

This manual is also suitable for:

Hp 6600

HP HSR6600 Command Reference Manual

Quick Links

Command Reference

Related Manuals for HP HSR6600

Summary of Contents for HP HSR6600