manualshive.com logo in svg

HP FlexNetwork MSR Series, Command Reference Manual

Share
Download
HP FlexNetwork MSR Series Command Reference Manual Download Page 596

 

578 

Usage guidelines

 

An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity 
information and authentication methods of the peers, and the matching criteria for profile lookup. 

Examples 

# Create an IKEv2 profile named 

profile1

 and enter IKEv2 profile view. 

<Sysname> system-view 

[Sysname] ikev2 profile profile1 

[Sysname-ikev2-profile-profile1] 

Related commands 

display ikev2 profile 

ikev2 proposal 

Use 

ikev2 proposal 

to create an IKEv2 proposal and enter its view, or enter the view of an existing 

IKEv2 proposal. 

Use 

undo ikev2 proposal 

to delete an IKEv2 proposal. 

Syntax 

ikev2 proposal

 

proposal-name

 

undo

 

ikev2 proposal

 

proposal-name

 

Default 

An IKEv2 proposal named 

default

  exists, which has the lowest priority and uses the following 

settings: 

 

In non-FIPS mode: 

 

Encryption algorithm

—AES-CBC-128 and 3DES. 

 

Integrity protection algorithm

—HMAC-SHA1 and HMAC-MD5. 

 

PRF algorithm

—HMAC-SHA1 and HMAC-MD5. 

 

DH group

—Group 5 and group 2. 

 

In FIPS mode: 

 

Encryption algorithm

—AES-CBC-128 and AES-CTR-128. 

 

Integrity protection algorithm

—HMAC-SHA1 and HMAC-SHA256. 

 

PRF algorithm

—HMAC-SHA1 and HMAC-SHA256. 

 

DH group

—Group 14 and group 19. 

Views 

System view 

Predefined user roles 

network-admin 

Parameters 

proposal-name

: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive 

string of 1 to 63 characters and cannot be 

default

.

 

Usage guidelines 

An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including  the 
encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. 

Summary of Contents for FlexNetwork MSR Series

Page 1: ...HPE FlexNetwork MSR Router Series Comware 7 Security Command Reference Part number 5200 3000 Software version MSR CMW710 R0413 Document version 6W102 20170101 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ...tion advpn 25 authorization command 26 authorization default 27 authorization ike 29 authorization ipoe 29 authorization lan access 30 authorization login 32 authorization portal 33 authorization ppp 34 authorization attribute ISP domain view 35 display domain 37 domain 41 domain default enable 42 domain if unknown 43 ita policy 44 nas id bind vlan 45 service type ISP domain view 45 session time i...

Page 4: ...ey RADIUS scheme view 91 nas ip RADIUS scheme view 92 port 93 primary accounting RADIUS scheme view 94 primary authentication RADIUS scheme view 95 radius dscp 97 radius dynamic author server 97 radius nas ip 98 radius scheme 99 radius session control client 100 radius session control enable 101 radius server test profile 101 reset radius statistics 102 retry 103 retry realtime accounting 104 seco...

Page 5: ...rver 142 login dn 142 login password 143 map 144 protocol version 145 search base dn 146 search scope 146 server timeout 147 user parameters 147 ITA policy commands 148 accounting level 148 accounting merge enable 149 accounting method 150 ita policy 151 traffic quota out 151 traffic separate 152 802 1X commands 153 display dot1x 153 display dot1x connection 158 dot1x 163 dot1x authentication meth...

Page 6: ...l nobinding enable 204 aging time 205 app id 205 app key 206 authentication timeout 207 auth url 208 binding retry 209 captive bypass enable 209 default logon page 210 display portal 211 display portal extend auth server 217 display portal local binding mac address 218 display portal mac trigger server 219 display portal packet statistics 221 display portal redirect statistics 224 display portal r...

Page 7: ...tal outbound filter enable 293 portal pre auth domain 294 portal packet log enable 295 portal pre auth ip pool 296 portal redirect log enable 296 portal refresh enable 297 portal roaming enable 298 portal safe redirect enable 298 portal safe redirect forbidden url 299 portal safe redirect method 300 portal safe redirect user agent 301 portal server 302 portal temp pass enable 303 portal traffic ac...

Page 8: ...splay password control 353 display password control blacklist 354 password control aging composition history length enable 355 password control aging 356 password control alert before expire 358 password control complexity 358 password control composition 359 password control enable 361 password control expired user login 362 password control history 363 password control length 364 password contro...

Page 9: ...crl domain 417 fqdn 419 ip 420 ldap server 420 locality 421 organization 422 organization unit 422 pki abort certificate request 423 pki certificate access control policy 424 pki certificate attribute group 424 pki delete certificate 425 pki domain 427 pki entity 427 pki export 428 pki import 435 pki request certificate 439 pki retrieve certificate 440 pki retrieve crl 442 pki storage 443 pki vali...

Page 10: ...dancy enable 493 ipsec sa global duration 493 ipsec sa idle time 494 ipsec transform set 495 local address 496 pfs 496 protocol 497 qos pre classify 498 redundancy replay interval 499 remote address 500 reset ipsec sa 501 reset ipsec statistics 502 reverse route dynamic 503 reverse route preference 504 reverse route tag 504 sa duration 505 sa hex key authentication 506 sa hex key encryption 507 sa...

Page 11: ...set ike sa 549 reset ike statistics 550 sa duration 551 snmp agent trap enable ike 551 IKEv2 commands 553 aaa authorization 553 address 554 authentication method 554 certificate domain 556 config exchange 557 display ikev2 policy 558 display ikev2 profile 559 display ikev2 proposal 560 display ikev2 sa 561 display ikev2 statistics 565 dh 566 dpd 567 encryption 568 hostname 569 identity 570 identit...

Page 12: ...en port 603 ssh redirect timeout 604 ssh server acl 604 ssh server authentication retries 605 ssh server authentication timeout 606 ssh server compatible ssh1x enable 607 ssh server dscp 608 ssh server enable 608 ssh server ipv6 acl 609 ssh server ipv6 dscp 610 ssh server rekey interval 610 ssh user 611 SSH client commands 614 bye 614 cd 614 cdup 615 delete 615 dir 615 display sftp client source 6...

Page 13: ...ply 659 aspf policy 659 detect 660 display aspf all 661 display aspf interface 662 display aspf policy 663 display aspf session 664 icmp error drop 670 reset aspf session 671 tcp syn check 671 APR commands 673 app group 673 application statistics enable 674 apr signature auto update 675 apr signature auto update now 675 apr signature rollback 676 apr signature update 676 copy app group 679 descrip...

Page 14: ...t session table multicast 746 reset session table multicast ipv4 747 reset session table multicast ipv6 748 session aging time application 750 session aging time state 752 session log bytes active 753 session log enable 754 session log flow begin 755 session log flow end 756 session log packets active 756 session log time active 757 session persistent acl 758 session state machine mode loose 759 s...

Page 15: ...obal enable 815 blacklist ip 816 blacklist ipv6 817 blacklist logging enable 818 blacklist object group 819 blacklist user 819 client verify dns enable 820 client verify http enable 821 client verify protected ip 822 client verify protected ipv6 823 client verify tcp enable 824 display attack defense flood statistics ip 825 display attack defense flood statistics ipv6 828 display attack defense po...

Page 16: ...eset client verify protected statistics 904 reset client verify trusted 905 rst flood action 905 rst flood detect 906 rst flood detect non specific 907 rst flood threshold 908 scan detect 909 signature large icmp large icmpv6 max length 910 signature detect 911 signature level action 914 signature level detect 915 syn ack flood action 915 syn ack flood detect 916 syn ack flood detect non specific ...

Page 17: ... commands 944 arp detection enable 945 arp detection rule 945 arp detection trust 946 arp detection validate 947 arp restricted forwarding enable 948 display arp detection 948 display arp detection statistics 949 reset arp detection statistics 949 ARP scanning and fixed ARP commands 950 arp fixup 950 arp scan 951 ARP gateway protection commands 952 arp filter source 952 ARP filtering commands 952 ...

Page 18: ...xvi Accessing updates 975 Websites 976 Customer self repair 976 Remote support 976 Documentation feedback 976 Index 978 ...

Page 19: ...fault No NAS ID profiles exist Views System view Predefined user roles network admin Parameters profile name Specifies the NAS ID profile name a case insensitive string of 1 to 31 characters Usage guidelines Configure a NAS ID profile to maintain NAS ID and VLAN bindings on the device Examples Create a NAS ID profile named aaa Sysname system view Sysname aaa nas id profile aaa Sysname nas id prof ...

Page 20: ...r of concurrent login users The value range for this argument is from 1 to 32 for the FTP SSH and Telnet services and is from 1 to 64 for the HTTP and HTTPS services Usage guidelines After the maximum number of concurrent login users for a user type exceeds the upper limit the system denies the subsequent users of this type Examples Set the maximum number of concurrent FTP users to 4 Sysname syste...

Page 21: ...up methods local accounting and no accounting The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid The device does not perform accounting when both of the previous methods are invalid Examples In ISP domain test perform local accounting for ADVPN users Sysname system view Sysname domain test Sysname isp test accounting advpn local In ISP ...

Page 22: ...name isp test accounting command hwtacacs scheme hwtac Related commands accounting default command accounting Fundamentals Command Reference hwtacacs scheme accounting default Use accounting default to specify the default accounting method for an ISP domain Use undo accounting default to restore the default Syntax In non FIPS mode accounting default hwtacacs scheme hwtacacs scheme name radius sche...

Page 23: ...p methods in sequence For example the accounting default radius scheme radius scheme name local none command specifies the primary default RADIUS accounting method and two backup methods local accounting and no accounting The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid The device does not perform accounting when both of the previous ...

Page 24: ...scheme radius scheme name local none command specifies a primary RADIUS accounting method and two backup methods local accounting and no accounting The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid The device does not perform accounting when both of the previous methods are invalid The following guidelines apply to broadcast accounting...

Page 25: ... broadcast radius scheme radius scheme name1 radius scheme radius scheme name2 local local radius scheme radius scheme name local undo accounting lan access Default The default accounting method for the ISP domain is used for LAN users Views ISP domain view Predefined user roles network admin Parameters broadcast Broadcasts accounting requests to servers in RADIUS schemes radius scheme radius sche...

Page 26: ...ary scheme does not return any result the device considers the accounting as a failure Examples In ISP domain test perform local accounting for LAN users Sysname system view Sysname domain test Sysname isp test accounting lan access local In ISP domain test perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup Sysname system view Sysname domain test Sysn...

Page 27: ...thod and multiple backup accounting methods When the primary method is invalid the device attempts to use the backup methods in sequence For example the accounting login radius scheme radius scheme name local none command specifies a primary default RADIUS accounting method and two backup methods local accounting and no accounting The device performs RADIUS accounting by default and performs local...

Page 28: ...cheme by its name a case insensitive string of 1 to 32 characters local Performs local accounting none Does not perform accounting radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines You can specify one primary accounting method and multiple backup accounting methods When the primary method is invalid the device at...

Page 29: ...l broadcast radius scheme rd1 radius scheme rd2 local Related commands accounting default local user radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users Use undo accounting ppp to restore the default Syntax In non FIPS mode accounting ppp broadcast radius scheme radius scheme name1 radius scheme radius scheme name2 hwtacacs scheme hwtacacs scheme name l...

Page 30: ...erforms local accounting when the RADIUS server is invalid The device does not perform accounting when both of the previous methods are invalid The following guidelines apply to broadcast accounting The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time If a primary server is unavailable the device sends accounting requests...

Page 31: ...sers who have used up their data quotas online Does not perform actions on users who have used up their data quotas Examples In ISP domain test configure the device not to perform actions on users who have used up their data quotas Sysname system view Sysname domain test Sysname isp test accounting quota out online accounting start fail Use accounting start fail to configure access control for use...

Page 32: ...es not perform actions on users who have failed all their accounting update attempts Views ISP domain view Predefined user roles network admin Parameters max times max times Specifies the maximum number of consecutive accounting update failures allowed by the device for each user The value range for the max times argument is 1 to 255 and the default value is 1 offline Logs off users who have faile...

Page 33: ...alid the device attempts to use the backup methods in sequence For example the authentication advpn radius scheme radius scheme name local none command specifies a primary RADIUS authentication method and two backup methods local authentication and no authentication The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid The device d...

Page 34: ...name a case insensitive string of 1 to 32 characters ldap scheme ldap scheme name Specifies an LDAP scheme by its name a case insensitive string of 1 to 32 characters local Performs local authentication none Does not perform authentication radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines The default authenticati...

Page 35: ...od for the ISP domain is used for IKE extended authentication Views ISP domain view Predefined user roles network admin Parameters local Performs local authentication none Does not perform authentication radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines You can specify one primary authentication method and multip...

Page 36: ...ion method for IPoE users Use undo authentication ipoe to restore the default Syntax In non FIPS mode authentication ipoe local none none radius scheme radius scheme name local none undo authentication ipoe In FIPS mode authentication ipoe local radius scheme radius scheme name local undo authentication ipoe Default The default authentication method for the ISP domain is used for IPoE users Views ...

Page 37: ...as the backup Sysname system view Sysname domain test Sysname isp test authentication ipoe radius scheme rd local Related commands authentication default local user radius scheme authentication lan access Use authentication lan access to configure the authentication method for LAN users Use undo authentication lan access to restore the default Syntax In non FIPS mode authentication lan access ldap...

Page 38: ...e domain test Sysname isp test authentication lan access local In ISP domain test perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup Sysname system view Sysname domain test Sysname isp test authentication lan access radius scheme rd local Related commands authentication default hwtacacs scheme ldap scheme local user radius scheme authenticatio...

Page 39: ... radius scheme radius scheme name local none command specifies the default primary RADIUS authentication method and two backup methods local authentication and no authentication The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid The device does not perform authentication when both of the previous methods are invalid Examples In ...

Page 40: ... authentication method and multiple backup authentication methods When the primary method is invalid the device attempts to use the backup methods in sequence For example the authentication portal radius scheme radius scheme name local none command specifies the default primary RADIUS authentication method and two backup methods local authentication and no authentication The device performs RADIUS...

Page 41: ... HWTACACS scheme by its name a case insensitive string of 1 to 32 characters local Performs local authentication none Does not perform authentication radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines You can specify one primary authentication method and multiple backup authentication methods When the primary meth...

Page 42: ... name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid If you specify a scheme to provide the method for user role authentication the following rules apply If an HWTACACS scheme is specified the device...

Page 43: ...od of the ISP domain is used for ADVPN users Views ISP domain view Predefined user roles network admin Parameters local Performs local authorization none Does not perform authorization radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines The RADIUS authorization configuration takes effect only when authentication an...

Page 44: ...zation method Use undo authorization command to restore the default Syntax In non FIPS mode authorization command hwtacacs scheme hwtacacs scheme name local none local none none undo authorization command In FIPS mode authorization command hwtacacs scheme hwtacacs scheme name local local undo authorization command Default The default authorization method of the ISP domain is used for command autho...

Page 45: ...on command hwtacacs scheme hwtacacs scheme name local none command specifies the default HWTACACS authorization method and two backup methods local authorization and no authorization The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid The device does not perform command authorization when both of the previous methods are invali...

Page 46: ...tive string of 1 to 32 characters Usage guidelines The default authorization method is used for all users who support this method and do not have an authorization method configured The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme You can specify one primary authorization method and multiple...

Page 47: ...none Does not perform authorization Usage guidelines You can specify one primary authorization method and one backup authorization method When the primary method is invalid the device attempts to use the backup method Examples In ISP domain test perform local authorization for IKE extended authentication Sysname system view Sysname domain test Sysname isp test authorization ike local Related comma...

Page 48: ...ample the authorization ipoe radius scheme radius scheme name local none command specifies a primary RADIUS authorization method and two backup methods local authorization and no authorization The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid The device does not perform authorization when both of the previous methods are invalid ...

Page 49: ...fy one primary authorization method and multiple backup authorization methods When the primary method is invalid the device attempts to use the backup methods in sequence For example the authorization lan access radius scheme radius scheme name local none command specifies a primary RADIUS authorization method and two backup methods local authorization and no authorization The device performs RADI...

Page 50: ... pass authentication Login users are assigned the default user role For more information about the default user role feature see Fundamentals Configuration Guide The working directory for FTP SFTP and SCP login users is the root directory of the NAS However the users do not have permission to access the root directory radius scheme radius scheme name Specifies a RADIUS scheme by its name a case in...

Page 51: ...lt Syntax In non FIPS mode authorization portal local none none radius scheme radius scheme name local none undo authorization portal In FIPS mode authorization portal local radius scheme radius scheme name local undo authorization portal Default The default authorization method of the ISP domain is used for portal users Views ISP domain view Predefined user roles network admin Parameters local Pe...

Page 52: ...form RADIUS authorization for portal users based on scheme rd and use local authorization as the backup Sysname system view Sysname domain test Sysname isp test authorization portal radius scheme rd local Related commands authorization default local user radius scheme authorization ppp Use authorization ppp to configure the authorization method for PPP users Use undo authorization ppp to restore t...

Page 53: ...n ppp local In ISP domain test perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup Sysname system view Sysname domain test Sysname isp test authorization ppp radius scheme rd local Related commands authorization default hwtacacs scheme local user radius scheme authorization attribute ISP domain view Use authorization attribute to configure author...

Page 54: ...ted in the idle timeout period in bytes The value range is 1 to 10240000 and the default value is 10240 igmp max access number max access number Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently The value range for the max access number argument is 1 to 64 This option is applicable only to IPoE portal and PPP users ip pool pool name Specifies an IPv4 address pool ...

Page 55: ...only to IPoE LAN portal and PPP users vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the users belong The vpn instance name argument is a case sensitive string of 1 to 31 characters When a user passes authentication it has permission to access the network resources in the specified VPN This option is applicable only to PPP and IPoE users Usage guidelines When the idle cut...

Page 56: ...ime Exclude idle time Authorization attributes Idle cut Disabled IGMP access number 4 MLD access number 4 Domain dm State Active Login authentication scheme RADIUS rad Login authorization scheme HWTACACS hw Super authentication scheme RADIUS rad PPP accounting scheme RADIUS r1 RADIUS r2 HWTACACS tc Local Command authorization scheme HWTACACS hw LAN access authentication scheme RADIUS r4 Portal aut...

Page 57: ...fline Logs off the users Accounting update failure max times Maximum number of consecutive accounting update failures allowed by the device for each user in the domain Accounting update failure action Access control for users who have failed all their accounting update attempts Online Does not perform actions on the users Offline Logs off the users Accounting quota out action Access control for us...

Page 58: ...d to users User profile Name of the authorization user profile Inbound CAR Authorized inbound CAR CIR Committed information rate in bps PIR Peak information rate in bps Outbound CAR Authorized outbound CAR CIR Committed information rate in bps PIR Peak information rate in bps ACL number Authorization ACL for users User group Authorization user group for users IPv6 prefix IPv6 address prefix author...

Page 59: ...thentication method for portal users Portal authorization scheme Authorization method for portal users Portal accounting scheme Accounting method for portal users IKE authentication scheme IKE extended authentication method IKE authorization scheme Authorization method for IKE extended authentication IPoE authentication scheme Authentication method for IPoE users IPoE authorization scheme Authoriz...

Page 60: ...e that user names containing a domain name do not exceed the maximum name length required by different types of users Examples Create an ISP domain named test and enter ISP domain view Sysname system view Sysname domain test Sysname isp test Related commands display domain domain default enable domain if unknown state ISP domain view domain default enable Use domain default enable to specify the d...

Page 61: ... Syntax domain if unknown isp domain name undo domain if unknown Default No ISP domain is specified to accommodate users who are assigned to nonexistent domains Views System view Predefined user roles network admin Parameters isp domain name Specifies the ISP domain name a case insensitive string of 1 to 255 characters The name must meet the following requirements The name cannot contain a forward...

Page 62: ...ita policy to restore the default Syntax ita policy policy name undo ita policy Default No ITA policy is applied in an ISP domain Views ISP domain view Predefined user roles network admin Parameters policy name Specifies an ITA policy by its name a case insensitive string of 1 to 31 characters Usage guidelines The ITA policy assigned from a RADIUS server takes precedence over the ITA policy in an ...

Page 63: ...ultiple NAS ID and VLAN bindings in a NAS ID profile A NAS ID can be bound with more than one VLAN but a VLAN can be bound with only one NAS ID If you configure multiple bindings for the same VLAN the most recent configuration takes effect Examples Bind NAS ID 222 with VLAN 2 in NAS ID profile aaa Sysname system view Sysname aaa nas id profile aaa Sysname nas id prof aaa nas id 222 bind vlan 2 Rel...

Page 64: ... IPoE leased line users the system uses the HSI service forcibly even if the STB or VoIP service is specified Examples Specify the STB service for users in ISP domain test Sysname system view Sysname domain test Sysname isp test service type stb session time include idle time Use session time include idle time to configure the device to include the idle cut period or the online detection interval ...

Page 65: ...er for users in ISP domain test Sysname system view Sysname domain test Sysname isp test session time include idle time Related commands display domain state ISP domain view Use state to set the status of an ISP domain Use undo state to restore the default Syntax state active block undo state Default An ISP domain is in active state Views ISP domain view Predefined user roles network admin Paramet...

Page 66: ...s type private ds Specifies the private DS address type private ipv4 Specifies the private IPv4 address type public ds Specifies the public DS address type public ipv4 Specifies the public IPv4 address type Usage guidelines Any change to the user address type does not affect online users Examples Specify the user address type as private ds for ISP domain test Sysname system view Sysname domain tes...

Page 67: ...ttributes to the user Use undo authorization attribute to restore the default of an authorization attribute Syntax authorization attribute acl acl number callback number callback number idle cut minute ip ipv4 address ip pool ipv4 pool name ipv6 ipv6 address ipv6 pool ipv6 pool name ipv6 prefix ipv6 prefix prefix length primary dns secondary dns ip ipv4 address ipv6 ipv6 address session timeout mi...

Page 68: ...secondary DNS server session timeout minutes Sets the session timeout timer in minutes The value range for the minutes argument is 1 to 1440 The device logs off a user after the timer expires for the user url url string Specifies the URL to which a user is redirected after it passes authentication The url string argument is a case sensitive string of 1 to 255 characters user profile profile name S...

Page 69: ...takes precedence over the same attribute configured in user group view To make sure FTP SFTP and SCP users can access the directory after a master subordinate or active standby switchover do not specify chassis or slot information for the working directory To make sure a user has only the user roles authorized by using this command use the undo authorization attribute user role command to remove t...

Page 70: ...t be more than 62 characters ip ip address Specifies the IP address to which the user is bound This option applies only to 802 1X users location interface interface type interface number Specifies the interface to which the user is bound The interface type argument represents the interface type and the interface number argument represents the interface number To pass authentication the user must a...

Page 71: ... the user accesses the device Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured Examples Bind IP address 3 3 3 3 with network access user abc Sysname system view Sysname local user abc class network Sysname luser network abc bind attribute ip 3 3 3 3 Related commands display local user company Use company to spec...

Page 72: ...ger of MSC company Configure the description as Manager of MSC company for network access user 123 Sysname system view Sysname local user 123 class network Sysname luser network 123 description Manager of MSC company Related commands display local user display local guest waiting approval Use display local guest waiting approval to display pending registration requests for local guests Syntax disp...

Page 73: ...tal 1 guest users matched Number of local guests Full name Full name of the local guest Company Company name of the local guest Email Email address of the local guest Phone Phone number of the local guest Description Description of the local guest Related commands reset local guest waiting approval display local user Use display local user to display the local user configuration and online user st...

Page 74: ... or blocked state A local user in active state can access network services but a local user in blocked state cannot user name user name Specifies all local users using the specified username The username must be a case sensitive string of 1 to 55 characters that does not contain the domain name vlan vlan id Specifies all local users in a VLAN The vlan id argument is in the range of 1 to 4094 Usage...

Page 75: ...time 2015 04 03 18 00 00 Total 3 local users matched Table 3 Command output Field Description State Status of the local user active or blocked Service type Service types that the local user can use including ADVPN FTP HTTP HTTPS IKE IPoE LAN access PAD portal PPP SSH Telnet and terminal Access limit Whether the concurrent login limit is enabled Max access number Maximum number of concurrent logins...

Page 76: ...er IPv6 address of the secondary DNS server for the local user URL Redirect URL of the local user VPN instance Authorization VPN instance of the local user Password aging This field appears only when password aging is enabled The aging time is displayed in parentheses Password length This field appears only when password length control is enabled The minimum password length is displayed in parenth...

Page 77: ...ires display user group Use display user group to display user group configuration Syntax display user group all name group name Views Any view Predefined user roles network admin network operator Parameters all Specifies all user groups name group name Specifies a user group by its name a case insensitive string of 1 to 32 characters Examples Display the configuration of all user groups Sysname d...

Page 78: ...ser group VPN instance Authorization VPN instance for the user group Password control configurations Password control attributes that are configured for the user group Password aging This field appears only when password aging is enabled The aging time is displayed in parentheses Password length This field appears only when password length control is enabled The minimum password length is displaye...

Page 79: ...address must comply with RFC 822 Usage guidelines The local guest uses the email address to receive notifications from the device Examples Configure the email address as abc yyy com for local guest abc Sysname system view Sysname local user abc class network guest Sysname luser network guest abc email abc yyy com Related commands display local user full name Use full name to configure the name of ...

Page 80: ...up Default A local user belongs to user group system Views Local user view Predefined user roles network admin Parameters group name Specifies the user group name a case insensitive string of 1 to 32 characters Examples Assign device management user 111 to user group abc Sysname system view Sysname local user 111 class manage Sysname luser manage 111 group abc Related commands display local user l...

Page 81: ...ject or body for the email notifications of local guest information Syntax local guest email format to guest manager sponsor body body string subject sub string undo local guest email format to guest manager sponsor body subject Default No subject or body is configured for the email notifications of local guest information Views System view Predefined user roles network admin Parameters to Specifi...

Page 82: ...lid dates for the account are given below Related commands local guest email sender local guest email smtp server local guest manager email local guest send email local guest email sender Use local guest email sender to configure the email sender address in email notifications of local guests sent by the device Use undo local guest email sender to restore the default Syntax local guest email sende...

Page 83: ...al guests Views System view Predefined user roles network admin Parameters url string Specifies the path of the SMTP server a case sensitive string of 1 to 255 characters The path must comply with the standard SMTP protocol and start with smtp Usage guidelines If you execute this command multiple times the most recent configuration takes effect Examples Specify the SMTP server at smtp www test com...

Page 84: ... to 12 The value range for the DD argument varies with the specified month The value range for the YYYY argument is 2000 to 2035 start time Specifies the start time of the validity period in the format of hh mm ss The value range for the hh argument is 0 to 23 The value range for the mm and ss arguments is 0 to 59 The mm and ss arguments are optional For example enter 1 to indicate 1 00 00 A value...

Page 85: ...dress undo local guest manager email Default No email address is configured for the guest manager Views System view Predefined user roles network admin Parameters email address Specifies the email address a case sensitive string of 1 to 255 characters For example sec abc com The address must comply with RFC 822 Usage guidelines Use this command to specify the email address to which the device send...

Page 86: ...s can use this command to inform local guests or guest sponsors of the guest password and validity period information Examples Send an email to notify local guest abc of the guest password and validity period information Sysname system view Sysname local guest send email user name abc to guest Related commands email sponsor email local guest timer Use local guest timer to set the waiting approval ...

Page 87: ...ive string of 1 to 55 characters that does not contain the domain name The name cannot contain a forward slash backslash vertical bar colon asterisk question mark left angle bracket right angle bracket or at sign The name also cannot be a al or all class Specifies the local user type manage Device management user who can configure and monitor the device after login Device management users can use ...

Page 88: ...nter local user view Sysname system view Sysname local user user2 class network Sysname luser network user2 Add a local guest named user3 and enter local guest view Sysname system view Sysname local user user3 class network guest Sysname luser network guest user3 Related commands display local user service type local user view local user export Use local user export to export local guest account i...

Page 89: ...th as ftp 1 1 1 1 1 1 user user csv or ftp 1 1 1 1 user user csv Examples Export local guest account information to the guest csv file in the ftp 1 1 1 1 user path Sysname system view Sysname local user export class network guest url ftp 1 1 1 1 user guest csv Related commands local user import local user import Use local user import to import local guest account information from a csv file in the...

Page 90: ...evice retains the existing account and does not import the local guest with the same name start line line number Specifies the number of the line at which the account import begins If you do not specify a line number this command imports all accounts in the csv file Usage guidelines The csv file contains multiple parameters for each account and the parameters must be strictly arranged in the follo...

Page 91: ...a validity period for the imported guests Sysname system view Sysname local user import class network guest url ftp 1 1 1 1 user guest csv validity datetime 2014 10 01 00 00 00 to 2014 10 02 12 00 00 Related commands display local user local user export password Use password to configure a password for a local user Use undo password to restore the default Syntax In non FIPS mode password cipher ha...

Page 92: ... mode a non password protected user passes authentication if the user provides the correct username and passes attribute checks To enhance security configure a password for each local user In FIPS mode only password protected users can pass authentication For a device management user you must set the password in interactive mode Examples Set the password to 123456TESTplat in plaintext form for dev...

Page 93: ...sts for local guests Syntax reset local guest waiting approval user name user name Views User view Predefined user roles network admin Parameters user name user name Specifies a local guest by the user name a case sensitive string of 1 to 55 characters The name cannot contain a domain name If you do not specify a guest this command clears information about all registration requests for local guest...

Page 94: ... HTTP service https Authorizes the user to use the HTTPS service ike Authorizes the user to use the IKE extended authentication service ipoe Authorizes the user to use the IPoE service lan access Authorizes the user to use the LAN access service The users are typically Ethernet users for example 802 1X users pad Authorizes the user to use the PAD service ssh Authorizes the user to use the SSH serv...

Page 95: ...he department as test for the guest sponsor of local guest abc Sysname system view Sysname local user abc class network guest Sysname luser network guest abc sponsor department test Related commands display local user sponsor email Use sponsor email to specify the email address of the guest sponsor for a local guest Use undo sponsor email to restore the default Syntax sponsor email email string un...

Page 96: ... full name Default No guest sponsor name is specified for a local guest Views Local guest view Predefined user roles network admin Parameters name string Specifies the guest sponsor name a case sensitive string of 1 to 255 characters Examples Specify the guest sponsor name as Sam Li for local guest abc Sysname system view Sysname local user abc class network guest Sysname luser network guest abc s...

Page 97: ...enter its view or enter the view of an existing user group Use undo user group to delete a user group Syntax user group group name undo user group group name Default A system defined user group exists The group name is system Views System view Predefined user roles network admin Parameters group name Specifies the user group name a case insensitive string of 1 to 32 characters Usage guidelines A u...

Page 98: ...he time is in the format of hh mm ss The value range for the hh argument is 0 to 23 The value range for the mm and ss arguments is 0 to 59 The mm and ss arguments are optional For example enter 1 to indicate 1 00 00 A value of 0 indicates 00 00 00 to Specifies the expiration date and time for the local guest expiration date Specifies the expiration date in the format of MM DD YYYY or YYYY MM DD Th...

Page 99: ...he device generates an Acct Session ID value for each online user based on the system time random digits and device ID On a VSRP network where multiple devices use the same accounting server accounting ID conflicts might occur To avoid duplicate accounting IDs use this command to assign a unique device ID to each device If you modify the device ID the new device ID does not take effect on users wh...

Page 100: ... through the device Execute the save command to ensure that the accounting on enable command takes effect at the next reboot For information about the save command see Fundamentals Command Reference Parameters set by using the accounting on enable command take effect immediately Examples Enable the accounting on feature for RADIUS scheme radius1 and set the retransmission interval to 5 seconds and...

Page 101: ...of these users is saved to the SPUs through which the users access the device Execute the save command to ensure that the accounting on extended command takes effect at the next card reboot For information about the save command see Fundamentals Command Reference Examples Enable the extended accounting on feature for RADIUS scheme radius1 Sysname system view Sysname radius scheme radius1 Sysname r...

Page 102: ... default Syntax attribute 25 car undo attribute 25 car Default The RADIUS class attribute is not interpreted as CAR parameters Views RADIUS scheme view Predefined user roles network admin Usage guidelines Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user based traffic monitoring and control Examples In RADIUS sch...

Page 103: ...ser data measurement unit on the RADIUS server Examples In RADIUS scheme radius1 set the data measurement unit to kilobyte for the Remanent_Volume attribute Sysname system view Sysname radius scheme radius1 Sysname radius radius1 attribute remanent volume unit kilo byte Related commands display radius scheme client Use client to specify a RADIUS DAE client Use undo client to remove the specified R...

Page 104: ...ers vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the RADIUS DAE client belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option Usage guidelines The device discards DAE packets sent from DAE clients that are not specified for the DAE server You can execute the client command...

Page 105: ...o kilobyte and kilo packet respectively Sysname system view Sysname radius scheme radius1 Sysname radius radius1 data flow format data kilo byte packet kilo packet Related commands display radius scheme display radius scheme Use display radius scheme to display RADIUS scheme configuration Syntax display radius scheme radius scheme name Views Any view Predefined user roles network admin network ope...

Page 106: ...pdate 5 Server Quiet Period minutes 5 Realtime Accounting Interval minutes 22 NAS IP Address 1 1 1 1 VPN Not configured User Name Format with domain Data flow unit Megabyte Packet unit One Attribute 15 check mode Strict Attribute 25 CAR Attribute Remanent Volume unit Mega Table 7 Command output Field Description Index Index number of the RADIUS scheme Primary authentication server Information abou...

Page 107: ... transmitting a RADIUS packet to a single RADIUS server Retransmission Times for Accounting Update Maximum number of accounting attempts Server Quiet Period minutes Quiet period for the servers in minutes Realtime Accounting Interval minutes Interval for sending real time accounting updates in minutes NAS IP Address Source IP address for outgoing RADIUS packets VPN MPLS L3VPN instance to which the...

Page 108: ...sCtrl Request Packet 0 0 0 Retry Packet 0 0 Timeout Packet 0 0 Access Challenge 0 Account Start 0 Account Update 0 Account Stop 0 Terminate Request 0 Set Policy 0 Packet With Response 0 0 0 Packet Without Response 0 0 Access Rejects 0 Dropped Packet 0 0 0 Check Failures 0 0 0 Table 8 Command output Field Description Auth Authentication packets Acct Accounting packets SessCtrl Session control packe...

Page 109: ...ion Syntax key accounting authentication cipher simple string undo key accounting authentication Default No shared key is configured for secure RADIUS authentication or accounting communication Views RADIUS scheme view Predefined user roles network admin Parameters accounting Specifies the shared key for secure RADIUS accounting communication authentication Specifies the shared key for secure RADI...

Page 110: ...adius nas ip command in system view If the radius nas ip command is not configured the source IP address is the IP address of the outbound interface Views RADIUS scheme view Predefined user roles network admin Parameters ipv4 address Specifies an IPv4 address which must be an address of the device The IP address cannot be 0 0 0 0 255 255 255 255 a class D address a class E address or a loopback ad...

Page 111: ...the undo nas ip command the command deletes the source IPv4 address for outgoing RADIUS packets Examples In RADIUS scheme radius1 specify the IP address 10 1 1 1 as the source IP address for outgoing RADIUS packets Sysname system view Sysname radius scheme radius1 Sysname radius radius1 nas ip 10 1 1 1 Related commands display radius scheme radius nas ip port Use port to specify the RADIUS DAE ser...

Page 112: ...ing server cipher Specifies the key in encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sensitive In non FIPS mode the encrypted form of the key is a string of 1 to 117 characters The plaintext form of the key is a string of 1 to 64 characters In FIPS m...

Page 113: ... address 10 110 1 2 UDP port number 1813 and plaintext shared key 123456TESTacct Sysname system view Sysname radius scheme radius1 Sysname radius radius1 primary accounting 10 110 1 2 1813 key simple 123456TESTacct Related commands display radius scheme key RADIUS scheme view secondary accounting RADIUS scheme view vpn instance RADIUS scheme view primary authentication RADIUS scheme view Use prima...

Page 114: ...ntication server are the same as those configured on the server Two authentication servers specified for a scheme primary or secondary cannot have identical IP address port number and VPN instance settings The shared key configured by this command takes precedence over the shared key configured with the key authentication command When you specify a test profile for the primary authentication serve...

Page 115: ...the range of 0 to 63 A larger value represents a higher priority Usage guidelines Use this command to set the DSCP priority in the ToS field of RADIUS packets for changing their transmission priority Examples Set the DSCP priority of IPv4 RADIUS packets to 10 Sysname system view Sysname radius dscp 10 radius dynamic author server Use radius dynamic author server to enable the RADIUS DAE server fea...

Page 116: ... class D address a class E address or a loopback address ipv6 ipv6 address Specifies an IPv6 address which must be a unicast address of the device and cannot be a loopback address or a link local address vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the source IP address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters To configure ...

Page 117: ...work source IPv6 address Examples Specify IP address 129 10 10 1 as the source address for outgoing RADIUS packets Sysname system view Sysname radius nas ip 129 10 10 1 Related commands nas ip RADIUS scheme view radius scheme Use radius scheme to create a RADIUS scheme and enter its view or enter the view of an existing RADIUS scheme Use undo radius scheme to delete a RADIUS scheme Syntax radius s...

Page 118: ...security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sensitive In non FIPS mode the encrypted form of the key is a string of 1 to 117 characters The plaintext form of the key is a string of 1 to 64 characters In FIPS mode the encrypted form of the key is a string of 15 to 117 characters The plaintext form of the key i...

Page 119: ... Syntax radius session control enable undo radius session control enable Default The RADIUS session control feature is disabled Views System view Predefined user roles network admin Usage guidelines The RADIUS session control feature enables the device to receive RADIUS session control packets on UDP port 1812 from a RADIUS server that runs on IMC Examples Enable the RADIUS session control feature...

Page 120: ...the server until you create the test profile on the device You can specify the same test profile for multiple RADIUS servers When you delete a test profile the device stops detecting the status of the RADIUS servers that use the test profile Examples Configure a test profile named abc for RADIUS server status detection The detection packet uses admin as the username and is sent every 10 minutes Sy...

Page 121: ...ent times out during the authentication process the user is immediately logged off To avoid user logoffs the value multiplied by the following items cannot be larger than the client timeout period defined by the access module The maximum number of RADIUS packet transmission attempts The RADIUS server response timeout period The number of RADIUS servers in the RADIUS scheme When the device sends a ...

Page 122: ...ttempts and specific parameters For example the RADIUS server response timeout period is 3 seconds set with the timer response timeout command the maximum number of RADIUS packet transmission attempts is three set with the retry command the real time accounting interval is 12 minutes set with the timer realtime accounting command and the maximum number of accounting attempts is five set with the r...

Page 123: ...haracters In FIPS mode the encrypted form of the key is a string of 15 to 117 characters The plaintext form of the key is a string of 15 to 64 characters The plaintext string must contain digits uppercase letters lowercase letters and special characters vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the secondary RADIUS accounting server belongs The vpn instance name argu...

Page 124: ...Sysname system view Sysname radius scheme radius2 Sysname radius radius2 secondary accounting 10 110 1 1 1813 Sysname radius radius2 secondary accounting 10 110 1 2 1813 Related commands display radius scheme key RADIUS scheme view primary accounting RADIUS scheme view vpn instance RADIUS scheme view secondary authentication RADIUS scheme view Use secondary authentication to specify a secondary RA...

Page 125: ...ing server A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers If the primary server fails the device tries to communicate with a secondary server in active state The device connects to the secondary servers in the order they are configured When you specify a test profile for secondary authentication servers make sure the test profile already exists on the device Other...

Page 126: ...hable accounting server up Sends a notification when the RADIUS accounting server becomes reachable authentication error threshold Sends a notification when the number of authentication failures exceeds the specified threshold The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts The value range is 1 to 100 and the default value is ...

Page 127: ...ck Specifies the blocked state the out of service state Usage guidelines During an authentication or accounting process the device first tries to communicate with the primary server if the primary server is in active state If the primary server is unavailable the device performs the following operations Changes the status of the primary server to blocked Starts a quiet timer for the server Tries t...

Page 128: ...DIUS server ipv6 ipv6 address Specifies the IPv6 address of a secondary RADIUS server port number Sets the service port number of a secondary RADIUS server The value range for the UDP port number is 1 to 65535 The default port numbers for authentication and accounting are 1812 and 1813 respectively vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the secondary RADIUS server...

Page 129: ... radius1 state secondary authentication block Related commands display radius scheme radius server test profile state primary timer quiet RADIUS scheme view Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme Use undo timer quiet to restore the default Syntax timer quiet minutes undo timer quiet Default The server quiet timer period is 5 minutes in a RADIUS scheme V...

Page 130: ...unting interval on the device is not zero the device sends online user accounting information to the RADIUS accounting server at the configured interval When the real time accounting interval on the device is zero the device sends online user accounting information to the RADIUS accounting server at the real time accounting interval configured on the server If the real time accounting interval is ...

Page 131: ...es out during the authentication process the user is immediately logged off To avoid user logoffs the value multiplied by the following items cannot be larger than the client timeout period defined by the access module The maximum number of RADIUS packet transmission attempts The RADIUS server response timeout period The number of RADIUS servers in the RADIUS scheme When the device sends a RADIUS ...

Page 132: ...ing a domain name to such a RADIUS server the device must remove the domain name This command allows you to specify whether to include a domain name in a username sent to a RADIUS server If a RADIUS scheme defines that the username is sent without the ISP domain name do not apply the scheme to more than one ISP domain Otherwise the RADIUS server will consider two users in different ISP domains but...

Page 133: ...ver the VPN instance specified for the RADIUS scheme does not take effect on that server Examples Specify VPN instance test for RADIUS scheme radius1 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 vpn instance test Related commands display radius scheme HWTACACS commands data flow format HWTACACS scheme view Use data flow format to set the data flow and packet measurement...

Page 134: ...at data kilo byte packet kilo packet Related commands display hwtacacs scheme display hwtacacs scheme Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes Syntax display hwtacacs scheme hwtacacs scheme name statistics Views Any view Predefined user roles network admin network operator Parameters hwtacacs scheme name Specifies an HWTACACS scheme by its name a c...

Page 135: ...or Server Secondary HWTACACS authorization server Secondary Acct Server Secondary HWTACACS accounting server IP IP address of the HWTACACS server If no server is configured this field displays Not configured Port Service port of the HWTACACS server If no port configuration is performed this field displays the default port number Single connection Single connection status Enabled Establish only one...

Page 136: ...les network admin Parameters ipv4 address Specifies an IPv4 address which must be an address of the device The IP address cannot be 0 0 0 0 255 255 255 255 a class D address a class E address or a loopback address ipv6 ipv6 address Specifies an IPv6 address which must be a unicast address of the device and cannot be a loopback address or a link local address vpn instance vpn instance name Specifie...

Page 137: ... Private network source IP addresses Each VPN instance can have only one private network source IPv4 address and one private network source IPv6 address Examples Specify IP address 129 10 10 1 as the source address for HWTACACS packets Sysname system view Sysname hwtacacs nas ip 129 10 10 1 Related commands nas ip HWTACACS scheme view hwtacacs scheme Use hwtacacs scheme to create an HWTACACS schem...

Page 138: ...ifies the shared key for secure HWTACACS authentication communication authorization Specifies the shared key for secure HWTACACS authorization communication cipher Specifies the key in encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sensitive In non FI...

Page 139: ...redefined user roles network admin Parameters ipv4 address Specifies an IPv4 address which must be an address of the device The IP address cannot be 0 0 0 0 255 255 255 255 a class D address a class E address or a loopback address ipv6 ipv6 address Specifies an IPv6 address which must be a unicast address of the device and cannot be a loopback address or a link local address Usage guidelines The s...

Page 140: ...primary HWTACACS accounting server Use undo primary accounting to restore the default Syntax primary accounting ipv4 address ipv6 ipv6 address port number key cipher simple string single connection vpn instance vpn instance name undo primary accounting Default The primary HWTACACS accounting server is not specified Views HWTACACS scheme view Predefined user roles network admin Parameters ipv4 addr...

Page 141: ...same as those configured on the server Two accounting servers specified for a scheme primary or secondary cannot have identical IP address port number and VPN instance settings If the specified server resides on an MPLS L3VPN specify the VPN instance by using the vpn instance vpn instance name option The VPN instance specified by this command takes precedence over the VPN instance specified for th...

Page 142: ...onnection each time it exchanges authentication packets with the primary authentication server for a user As a best practice specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single connection method vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the primary HWTACACS authentication server belongs The vpn in...

Page 143: ... key for secure communication with the primary HWTACACS authorization server cipher Specifies the key in encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sensitive In non FIPS mode the encrypted form of the key is a string of 1 to 373 characters The pla...

Page 144: ...s not used for user authorization Removing an authorization server affects only authorization processes that occur after the remove operation Examples In HWTACACS scheme hwt1 specify the primary authorization server with IP address 10 163 155 13 TCP port number 49 and plaintext shared key 123456TESTautr Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 primary authorization 10...

Page 145: ...cifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sensitive In non FIPS mode the encrypted form of the key is a string of 1 to 373 characters The plaintext form of the key is a string of 1 to 255 characters In FIPS mode the encrypted form of the key is a string of 15 to 373 char...

Page 146: ... an accounting server affects only accounting processes that occur after the remove operation Examples In HWTACACS scheme hwt1 specify a secondary accounting server with IP address 10 163 155 12 TCP port number 49 and plaintext shared key 123456TESTacct Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 secondary accounting 10 163 155 12 49 key simple 123456TESTacct Related com...

Page 147: ...n MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option Usage guidelines Make sure that the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the correspon...

Page 148: ...key in encrypted form simple Specifies the key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key This argument is case sensitive In non FIPS mode the encrypted form of the key is a string of 1 to 373 characters The plaintext form of the key is a string of 1 to 255 characters In FIPS mode the encrypted form of the k...

Page 149: ...recedence over the VPN instance specified for the HWTACACS scheme You can remove an authorization server only when it is not used for user authorization Removing an authorization server affects only authorization processes that occur after the remove operation Examples In HWTACACS scheme hwt1 specify a secondary authorization server with IP address 10 163 155 13 TCP port number 49 and plaintext sh...

Page 150: ...nterval in minutes in the range of 0 to 60 Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server Usage guidelines For real time accounting a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically This command is used to set the interval A short interval helps improve acco...

Page 151: ...rom the HWTACACS server The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS authentication servers in the scheme Any violation will result in user logoffs before the authentication process is complete Examples In HWTACACS scheme hwt1 set the HWTACACS server response timeout timer to 30 seconds Sysname system view Sysname...

Page 152: ... defines that the username is sent without the ISP domain name do not apply the scheme to more than one ISP domain Otherwise the HWTACACS server will consider two users in different ISP domains but with the same userid as one user If the HWTACACS scheme is used for wireless users specify the format of the username to be sent from the access device to the HWTACACS server as keep original Otherwise ...

Page 153: ...ute map to restore the default Syntax attribute map map name undo attribute map Default An LDAP scheme does not use any LDAP attribute map Views LDAP scheme view Predefined user roles network admin Parameters map name Specifies an LDAP attribute map by its name a case insensitive string of 1 to 31 characters Usage guidelines When the LDAP scheme used for authorization contains an LDAP attribute ma...

Page 154: ...Specifies the name of an existing LDAP server a case insensitive string of 1 to 64 characters Usage guidelines You can specify only one LDAP authentication server in an LDAP scheme If you execute this command multiple times the most recent configuration takes effect Examples In LDAP scheme ldap1 specify the LDAP authentication server as ccc Sysname system view Sysname ldap scheme ldap1 Sysname lda...

Page 155: ...ystem view Sysname ldap scheme ldap1 Sysname ldap ldap1 authorization server ccc Related commands display ldap scheme ldap server display ldap scheme Use display ldap scheme to display the LDAP scheme configuration Syntax display ldap scheme ldap scheme name Views Any view Predefined user roles network admin network operator Parameters ldap scheme name Specifies an LDAP scheme by its name a case i...

Page 156: ...n Attribute map map1 Table 12 Command output Field Description Authentication server Name of the LDAP authentication server If no server is configured this field displays Not configured Authorization server Name of the LDAP authorization server If no server is configured this field displays Not configured IP IP address of the LDAP server If no server is specified this field displays Not configured...

Page 157: ...ress or port number Views LDAP server view Predefined user roles network admin Parameters ip address Specifies the IP address of the LDAP server port port number Specifies the TCP port number of the LDAP server The value range for the port number argument is 1 to 65535 and the default value is 389 vpn instance vpn instance name Specifies an MPLS L3VPN instance to which the LDAP server belongs The ...

Page 158: ...elongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option Usage guidelines The LDAP service port configured on the device must be consistent with the service port of the LDAP server If you change the IP address and port number of the LDAP server the change is effective only on the LDAP authentication tha...

Page 159: ...te and an AAA attribute Examples Create an LDAP attribute map named map1 and enter LDAP attribute map view Sysname system view Sysname ldap attribute map map1 Sysname ldap map map1 Related commands attribute map ldap scheme map ldap scheme Use ldap scheme to create an LDAP scheme and enter its view or enter the view of an existing LDAP scheme Use undo ldap scheme to delete an LDAP scheme Syntax ld...

Page 160: ...ing LDAP server Use undo ldap server to delete an LDAP server Syntax ldap server server name undo ldap server server name Default No LDAP servers exist Views System view Predefined user roles network admin Parameters server name Specifies the LDAP server name a case insensitive string of 1 to 64 characters Examples Create an LDAP server named ccc and enter LDAP server view Sysname system view Sysn...

Page 161: ... ccc Sysname ldap server ccc login dn uid test ou people o example c city Related commands display ldap scheme login password Use login password to configure the administrator password for binding with the LDAP server during LDAP authentication Use undo login password to restore the default Syntax login password cipher simple string undo login password Default No administrator password is configur...

Page 162: ...nsitive string of 1 to 63 characters If you do not specify this option in the undo map command the command deletes all mapping entries from the LDAP attribute map prefix prefix value delimiter delimiter value Specifies a partial value string of the LDAP attribute for attribute mapping The prefix value argument represents the position where the partial string starts The prefix is a case insensitive...

Page 163: ...o protocol version Default The LDAP version is LDAPv3 Views LDAP server view Predefined user roles network admin Parameters v2 Specifies the LDAP version LDAPv2 v3 Specifies the LDAP version LDAPv3 Usage guidelines For successful LDAP authentication the LDAP version used by the device must be consistent with the version used by the LDAP server If you change the LDAP version the change is effective...

Page 164: ...mples Specify the base DN for user search as dc ldap dc com for LDAP server ccc Sysname system view Sysname ldap server ccc Sysname ldap server ccc search base dn dc ldap dc com Related commands display ldap scheme ldap server search scope Use search scope to specify the user search scope Use undo search scope to restore the default Syntax search scope all level single level undo search scope Defa...

Page 165: ...x server timeout time interval undo server timeout Default The LDAP server timeout period is 10 seconds Views LDAP server view Predefined user roles network admin Parameters time interval Specifies the LDAP server timeout period in the range of 5 to 20 seconds Usage guidelines If you change the LDAP server timeout period the change is effective only on the LDAP authentication that occurs after the...

Page 166: ... with domain without domain Specifies the format of the username to be sent to the server The with domain keyword means that the username contains the domain name and the without domain keyword means that the username does not contain the domain name user object class object class name Specifies the user object class for user search The object class name argument represents a class value a case in...

Page 167: ... not specify a level for the undo accounting level command this command removes the ITA accounting configuration for all traffic levels in the ITA policy Examples In ITA policy ita1 specify traffic levels 2 and 5 and count the level 2 traffic as IPv4 traffic and the level 5 traffic as IPv6 traffic Sysname system view Sysname ita policy ita1 Sysname ita policy ita1 accounting level 2 ipv4 Sysname i...

Page 168: ...roles network admin Parameters none Does not perform accounting radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines Use this command to configure accounting methods for an ITA policy ITA accounting is separated from accounting of other services You can specify one primary accounting method and one backup accounting...

Page 169: ...racters Examples Create an ITA policy named ita1 and enter ITA policy view Sysname system view Sysname ita policy ita1 Sysname ita policy ita1 traffic quota out Use traffic quota out to configure access control for users who have used up their ITA data quotas Use undo traffic quota out to restore the default Syntax traffic quota out offline online undo traffic quota out Default Users cannot access...

Page 170: ...ic from the overall traffic statistics that are sent to the accounting server Use undo traffic separate enable to restore the default Syntax traffic separate enable undo traffic separate enable Default The amount of ITA traffic is included in the overall traffic statistics that are sent to the accounting server Views ITA policy view Predefined user roles network admin Examples In ITA policy ita1 e...

Page 171: ... JH300A JH301A Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers WLAN is not supported on the following routers MSR4060 MSR4080 The term AP in this document refers to MSR routers that support WLAN display dot1x Use display dot1x to display information about 802 1X Syntax Wireless devices display dot1x sessions statistics ap ap name radio radio id interface inte...

Page 172: ...t specify the ap ap name radio radio id option or the interface interface type interface number option this command displays all 802 1X information including wired 802 1X information and wireless 802 1X information Examples Display all information about 802 1X Sysname display dot1x Global 802 1X parameters 802 1X authentication Enabled CHAP authentication Enabled Max tx period 30 s Handshake perio...

Page 173: ...Challenge packets 1 Error packets 0 Online 802 1X users 1 MAC address Auth state 0001 0000 0000 Authenticated AP name AP1 Radio ID 1 SSID wlan_dot1x_ssid BSSID 1111 1111 1111 802 1X authentication Enabled Handshake Enabled Handshake security Disabled Periodic reauth Disabled Mandatory auth domain Not configured Max online users 256 EAPOL packets Tx 3 Rx 3 Sent EAP Request Identity packets 1 EAP Re...

Page 174: ... Maximum number of attempts for sending an authentication request to a client SmartOn switch ID Switch ID for SmartOn authentication SmartOn supp timeout SmartOn client timeout timer in seconds SmartOn retry counts Maximum number of attempts for retransmitting an EAP Request Notification packet to a client EAD assistant function Whether EAD assistant is enabled URL Redirect URL for unauthenticated...

Page 175: ...og off online 802 1X users or keep them online when no server is reachable for 802 1X reauthentication Max online users Maximum number of concurrent 802 1X users on the port SmartOn Whether SmartOn authentication is enabled on the port EAPOL packets Number of sent Tx and received Rx EAPOL packets Sent EAP Request Identity packets Number of sent EAP Request Identity packets EAP Request Challenge pa...

Page 176: ...zed devices in IRF mode display dot1x connection interface interface type interface number slot slot number user mac mac address user name name string Distributed devices in IRF mode display dot1x connection chassis chassis number slot slot number interface interface type interface number user mac mac address user name name string Views Any view Predefined user roles network admin network operator...

Page 177: ...displays all online 802 1X user information user name name string Specifies an 802 1X user by its name The name string argument represents the username a case sensitive string of 1 to 253 characters If you do not specify an 802 1X user this command displays all online 802 1X user information Examples Centralized devices in standalone mode Display information about all online 802 1X users Sysname d...

Page 178: ...5 17 19 21 23 25 27 29 31 33 29 31 33 35 37 40 to 100 Authorization ACL ID 3001 Termination action Default Session timeout period 2 s Online from 2013 03 02 13 14 15 Online duration 0h 2m 15s Centralized devices in IRF mode Display information about all online 802 1X users Sysname display dot1x connection Total connections 1 Slot ID 0 User MAC address 0015 e9a6 7cfe Access interface GigabitEtherne...

Page 179: ...n Total connections 1 Chassis ID 1 Slot ID 0 User MAC address 0015 e9a6 7cfe Access interface GigabitEthernet1 0 1 Username ias Authentication domain test IPv4 address 192 168 1 1 IPv6 address 2000 0 0 0 1 2345 6789 abcd Authentication method CHAP Initial VLAN 1 Authorization untagged VLAN 6 Authorization tagged VLAN list 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33 35 37 40 to 100 Auth...

Page 180: ...h the RADIUS server Initial VLAN VLAN to which the user belongs before 802 1X authentication Authorization untagged VLAN Untagged VLAN authorized to the user Authorization tagged VLAN list Tagged VLANs authorized to the user Authorization VLAN VLAN authorized to the user This field is not available for MSR4060 4080 routers Authorization ACL ID number ACL authorized to the user The Authorization AC...

Page 181: ...lobally Sysname system view Sysname dot1x Enable 802 1X on GigabitEthernet 1 0 1 Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x Sysname GigabitEthernet1 0 1 quit Related commands display dot1x dot1x authentication method Use dot1x authentication method to specify an EAP message handling method Use undo dot1x authentication method to restore the default Syntax dot1x auth...

Page 182: ... require high security CHAP transports username in plaintext and encrypted password over the network CHAP is more secure than PAP In EAP relay mode The access device relays EAP messages between the client and the RADIUS server The EAP relay mode supports multiple EAP authentication methods such as MD5 Challenge EAP TL and PEAP To use this mode make sure the RADIUS server meets the following requir...

Page 183: ...ail vlan command Examples Configure VLAN 100 as the Auth Fail VLAN on port GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x auth fail vlan 100 Related commands display dot1x dot1x critical vlan Use dot1x critical vlan to configure an 802 1X critical VLAN on a port Use undo dot1x critical vlan to restore the default Syntax dot1x cr...

Page 184: ... domain name delimiters for 802 1X users No space is required between delimiters Available delimiters include the at sign backslash dot and forward slash If you want to use backslash as the domain name delimiter you must enter the escape character along with the backslash sign Usage guidelines Any character in the configured set can be used as the domain name delimiter for 802 1X authentication us...

Page 185: ...mmand compatibility MSR954 JH296A JH297A JH298A JH299A JH373A Yes MSR958 JH300A JH301A Yes MSR2003 No MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 No MSR4060 4080 No MSR1002 4 1003 8S Yes The EAD assistant feature enables the access device to redirect a user seeking to access the network to download and install EAD client This feature eliminates the tedious job of the administrator to deploy EAD ...

Page 186: ...rameters ip address Specifies a freely accessible IP address segment also called a free IP mask Specifies an IP address mask mask length Specifies IP address mask length in the range of 1 to 32 all Removes all free IP addresses Usage guidelines The following matrix shows the command and hardware compatibility Hardware Command compatibility MSR954 JH296A JH297A JH298A JH299A JH373A Yes MSR958 JH300...

Page 187: ...redirect URL a case insensitive string of 1 to 64 characters in the format http string Usage guidelines The following matrix shows the command and hardware compatibility Hardware Command compatibility MSR954 JH296A JH297A JH298A JH299A JH373A Yes MSR958 JH300A JH301A Yes MSR2003 No MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 No MSR4060 4080 No MSR1002 4 1003 8S Yes When an unauthenticated user u...

Page 188: ...er VLAN For more information about super VLANs see Layer 2 LAN Switching Configuration Guide Usage guidelines An 802 1X guest VLAN accommodates users who have not performed 802 1X authentication In the guest VLAN users can access a limited set of network resources such as a software server to download anti virus software and system patches To delete a VLAN that has been configured as a guest VLAN ...

Page 189: ...dot1x timer handshake period command To set the maximum handshake attempts use the dot1x retry command Examples Enable the online user handshake feature on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x handshake Related commands display dot1x dot1x timer handshake period dot1x retry dot1x handshake reply enable Use dot1x handsh...

Page 190: ...online user handshake security feature Syntax dot1x handshake secure undo dot1x handshake secure Default The online user handshake security feature is disabled Views Ethernet interface view Predefined user roles network admin Usage guidelines The online user handshake security feature enables the device to prevent users from using illegal client software The feature is implemented based on the onl...

Page 191: ... user trying to access a port it selects an authentication domain in the following order 1 Mandatory domain 2 ISP domain specified in the username 3 Default ISP domain Examples Specify my domain as the mandatory authentication domain for 802 1X users on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x mandatory domain my domain Re...

Page 192: ...icast trigger to disable the 802 1X multicast trigger feature Syntax dot1x multicast trigger undo dot1x multicast trigger Default The 802 1X multicast trigger feature is enabled Views Ethernet interface view Predefined user roles network admin Usage guidelines The multicast trigger feature enables the device to act as the initiator The device periodically multicasts EAP Request Identity packets ou...

Page 193: ...thorized state to allow only EAPOL packets to pass and places the port in authorized state after a user passes authentication You can use this option in most scenarios unauthorized force Places the port in unauthorized state denying any access requests from users on the port Usage guidelines You can use this command to set the port authorization state to determine whether a client is granted acces...

Page 194: ...llowing routers MSR954 JH296A JH297A JH298A JH299A JH373A MSR958 JH300A JH301A MSR2004 24 2004 48 MSR1002 4 1003 8S portbased Uses port based access control on the port Using this method once an 802 1X user passes authentication on the port any subsequent user can access the network through the port without authentication When the authenticated user logs off all other users are logged off Examples...

Page 195: ...henticate to disable the periodic online user reauthentication feature Syntax dot1x re authenticate undo dot1x re authenticate Default The periodic online user reauthentication feature is disabled Views Ethernet interface view Predefined user roles network admin Usage guidelines Periodic reauthentication enables the access device to periodically authenticate online 802 1X users on a port This feat...

Page 196: ...le for 802 1X reauthentication Views Ethernet interface view Predefined user roles network admin Usage guidelines This feature keeps authenticated 802 1X users online when no server is reachable for 802 1X reauthentication Examples Enable the keep online feature on GigabitEthernet 1 0 1 for 802 1X reauthentication Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1...

Page 197: ...ransmitting the request if it has made the maximum number of request transmission attempts but still received no response Examples Set the maximum number of attempts to 9 for sending an authentication request to a client Sysname system view Sysname dot1x retry 9 Related commands display dot1x dot1x timer dot1x smarton Use dot1x smarton to enable the SmartOn feature on a port Use undo dot1x smarton...

Page 198: ...tOn password is set Views System view Predefined user roles network admin Parameters cipher Specifies a password in encrypted form simple Specifies password in plaintext form For security purposes the password specified in plaintext form will be stored in encrypted form string Specifies the password Its plaintext form is a case sensitive string of 1 to 16 characters Its encrypted form is a case se...

Page 199: ...the device sends an EAP Request Notification packet to the client the SmartOn client timeout timer set by using the dot1x smarton timer supp timeout command starts If the device does not receive any EAP Response Notification packets from the client within the timer it retransmits the EAP Request Notification packet to the client After the device has made the maximum retransmission attempts but rec...

Page 200: ... abc Related commands display dot1x dot1x smarton dot1x smarton password dot1x smarton timer supp timeout Use dot1x smarton timer supp timeout to set the SmartOn client timeout timer Use undo dot1x smarton timer supp timeout to restore the default Syntax dot1x smarton timer supp timeout supp timeout value undo dot1x smarton timer supp timeout Default The SmartOn client timeout timer is 30 seconds ...

Page 201: ... value reauth period reauth period value server timeout server timeout value supp timeout supp timeout value tx period tx period value undo dot1x timer ead timeout handshake period quiet period reauth period server timeout supp timeout tx period Default The following 802 1X timers apply EAD rule timer 30 minutes Handshake timer 15 seconds Quiet timer 60 seconds Periodic reauthentication timer 3600...

Page 202: ...rk with quick authentication response set the quiet timer to a low value In a network with authentication servers of different performance adjust the server timeout timer The network device uses the following 802 1X timers EAD rule timer EAD timeout Sets the lifetime of each EAD rule When the timer expires or the user passes authentication the rule is removed If users fail to download the EAD clie...

Page 203: ... 150 Related commands display dot1x dot1x unicast trigger Use dot1x unicast trigger to enable the 802 1X unicast trigger feature Use undo dot1x unicast trigger to disable the 802 1X unicast trigger feature Syntax dot1x unicast trigger undo dot1x unicast trigger Default The 802 1X unicast trigger feature is disabled Views Ethernet interface view Predefined user roles network admin Usage guidelines ...

Page 204: ... interface gigabitethernet 1 0 1 mac address 1 1 1 Related commands dot1x guest vlan reset dot1x statistics Use reset dot1x statistics to clear 802 1X statistics Syntax Wireless devices reset dot1x statistics ap ap name radio radio id interface interface type interface number Wired devices reset dot1x statistics interface interface type interface number Views User view Predefined user roles networ...

Page 205: ...port by its type and number If you do not specify a port this command clears 802 1X statistics on all ports Examples Clear 802 1X statistics on GigabitEthernet 1 0 1 Sysname reset dot1x statistics interface gigabitethernet 1 0 1 Related commands display dot1x ...

Page 206: ...299A JH373A MSR958 JH300A JH301A Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers WLAN is not supported on the following routers MSR4060 MSR4080 The term AP in this document refers to MSR routers that support WLAN display mac authentication Use display mac authentication to display MAC authentication settings and statistics The output includes the global setti...

Page 207: ...ngs and statistics Sysname display mac authentication Global MAC authentication parameters MAC authentication Enabled User name format MAC address in lowercase xxxxxxxxxxxx Username mac Password Not configured Offline detect period 300 s Quiet period 60 s Server timeout 100 s Authentication domain Not configured use default domain Online MAC auth wired users 1 Online MAC auth wireless users 2 Sile...

Page 208: ...ername of the shared account for MAC authentication users By default the username is mac Password Password for MAC authentication If MAC based accounts are used or if a shared account is used but no password is configured this field displays Not configured If a shared account is used and a password is configured this field displays a string of asterisks Offline detect period Offline detect timer Q...

Page 209: ...isting MAC VLAN mapping the device creates a new MAC VLAN mapping for the user Max online users Maximum number of concurrent online users allowed on the port Authentication attempts successful 1 failed 0 MAC authentication statistics including the number of successful and unsuccessful authentication attempts MAC address MAC address of the online user Auth state User status Authenticated The user h...

Page 210: ...s for all radios on the specified AP interface interface type interface number Specifies a port by its type and number If you do not specify a port this command displays information about the online MAC authentication users for all ports slot slot number Specifies a card by its slot number If you do not specify a card this command displays information about the online MAC authentication users for ...

Page 211: ...t period 2 s Online from 2013 03 02 13 14 15 Online duration 0h 2m 15s User MAC address 0015 e9a6 7cfe AP name ap1 Radio ID 1 SSID wlan_dot1x_ssid BSSID 0015 e9a6 7cf0 User name ias Authentication domain 1 Initial VLAN 1 Authorization VLAN 100 Authorization ACL number 3001 Termination action Radius request Session timeout period 2 sec Online from 2014 06 02 13 14 15 Online duration 0h 2m 15s Distr...

Page 212: ...ion action Radius request Session timeout period 2 s Online from 2013 03 02 13 14 15 Online duration 0h 2m 15s User MAC address 0015 e9a6 7cfe AP name ap1 Radio ID 1 SSID wlan_dot1x_ssid BSSID 0015 e9a6 7cf0 User name ias Authentication domain 1 Initial VLAN 1 Authorization VLAN 100 Authorization ACL number 3001 Termination action Radius request Session timeout period 2 sec Online from 2014 06 02 ...

Page 213: ...hich the user belongs Initial VLAN VLAN that holds the user before MAC authentication Authorization untagged VLAN Untagged VLAN authorized to the user Authorization tagged VLAN Tagged VLAN authorized to the user Authorization VLAN VLAN authorized to the user This field is not available for MSR4060 4080 routers Authorization ACL ID number ACL authorized to the user The Authorization ACL number fiel...

Page 214: ...ntication globally Sysname system view Sysname mac authentication Enable MAC authentication on port GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication Related commands display mac authentication mac authentication carry user ip Use mac authentication carry user ip to include user IP addresses in MAC authentication reque...

Page 215: ...authentication domain to restore the default Syntax mac authentication domain domain name undo mac authentication domain Default The system default authentication domain is used For more information about the default authentication domain see the domain default enable command in AAA commands Views System view Ethernet interface view Predefined user roles network admin Parameters domain name Specif...

Page 216: ...delines The MAC authentication multi VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port When the port receives a packet sourced from the user in a VLAN not matching the existing MAC VLAN mapping the device neither logs off the user nor reauthenticates the user The device creates a new MAC VLAN mapping for the user and traffic transmission is ...

Page 217: ...amples Configure port GigabitEthernet 1 0 1 to support a maximum of 32 concurrent MAC authentication users Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication max user 32 Related commands display mac authentication mac authentication re authenticate server unreachable keep online Use mac authentication re authenticate server unreachable keep ...

Page 218: ...t offline detect value quiet quiet value server timeout server timeout value undo mac authentication timer offline detect quiet server timeout Default The offline detect timer is 300 seconds the quiet timer is 60 seconds and the server timeout timer is 100 seconds Views System view Predefined user roles network admin Parameters offline detect offline detect value Specifies the offline detect timer...

Page 219: ... starts immediately after it is triggered by a user packet Views Ethernet interface view Predefined user roles network admin Parameters time Specifies the delay time for MAC authentication in seconds The value range is 1 to 180 Usage guidelines When both 802 1X authentication and MAC authentication are enabled on a port you can delay MAC authentication so that 802 1X authentication is preferential...

Page 220: ...encrypted form simple Specifies a password in plaintext form For security purposes the password specified in plaintext form will be stored in encrypted form string Specifies the password Its plaintext form is a case sensitive string of 1 to 63 characters Its encrypted form is a case sensitive string of 1 to 117 characters mac address Uses MAC based user accounts for MAC authentication users You ca...

Page 221: ...nterface type interface number Wired devices reset mac authentication statistics interface interface type interface number Views User view Predefined user roles network admin Parameters ap ap name Specifies an AP by its name a case insensitive string of 1 to 64 characters The string can contain letters digits underscores _ left brackets right brackets forward slashes and hyphens If you do not spec...

Page 222: ... nobinding enable Default AAA failure unbinding is disabled Views MAC binding server view Predefined user roles network admin Usage guidelines If a portal user fails AAA in MAC trigger authentication the user cannot trigger authentication before the MAC trigger entry of the user ages out After the MAC trigger entry ages out the user triggers MAC trigger authentication when it accesses the network ...

Page 223: ...tes a MAC trigger entry for a user when the device detects traffic from the user for the first time The MAC trigger entry records the following information MAC address of the user Interface index VLAN ID Traffic statistics Aging timer When the aging time expires the device deletes the MAC trigger entry The device re creates a MAC trigger entry for the user when it detects the user s traffic again ...

Page 224: ...r a portal user passes QQ authentication the QQ authentication server sends the authorization code of the user to the portal Web server After the portal Web server receives the authorization code it sends the authorization code of the user the APP ID and the APP key to the QQ authentication server for verification If the information is verified as correct the device determines that the user passes...

Page 225: ...of the user to the portal Web server After the portal Web server receives the authorization code it sends the authorization code of the user the APP ID and the APP key to the QQ authentication server for verification If the information is verified as correct the device determines that the user passes QQ authentication Examples Specify 8a5428e6afdc3e2a2843087fe73f1507 in plaintext form as the APP k...

Page 226: ...mac trigger server mts authentication timeout 10 Related commands display mac trigger server auth url Use auth url to specify the URL of the QQ authentication server Use undo auth url to delete the URL of the QQ authentication server Syntax auth url url string undo auth url Default The URL of QQ authentication server is https graph qq com Views QQ authentication server view Predefined user roles n...

Page 227: ...erver is unreachable The device performs normal portal authentication for the user The user needs to enter the username and password for authentication If you execute this command multiple times in the same MAC binding server view the most recent configuration takes effect Examples Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds Sysname system view Sy...

Page 228: ...he network Users can press the home button to return to the desktop and the Wi Fi connection is not disabled Examples Enable the captive bypass feature Sysname system view Sysname portal web server wbs Sysname portal websvr wbs captive bypass enable Enable the optimized captive bypass feature Sysname system view Sysname portal web server wbs Sysname portal websvr wbs captive bypass optimize enable...

Page 229: ...name system view Sysname portal local web server http Sysname portal local websvr http default logon page pagefile1 zip Related commands portal local web server display portal Use display portal to display portal configuration and portal running state Syntax display portal ap ap name radio radio id interface interface type interface number Views Any view Predefined user roles network admin network...

Page 230: ...IPv4 Portal status Enabled Authentication type Layer3 Portal VSRP status M_Delay Portal Web server wbs active Secondary portal Web server wbs sec Portal mac trigger server mts Authentication domain my domain Pre auth domain abc Extend auth domain abc User dhcp only Enabled Pre auth IP pool ab Max portal users Not configured Bas ip Not configured User detection Type ICMP Interval 300s Attempts 5 Id...

Page 231: ...rk IP address Prefix length 11 5 64 Destination authentication subnet IP address Prefix length Display portal configuration and portal running state on AP ap1 Wireless application Sysname display portal ap ap1 Portal information of ap1 Radio ID 1 SSID portal Authorization Strict checking ACL Disable User profile Disable IPv4 Portal status Enabled Authentication type Direct Portal Web server wbs ac...

Page 232: ... on VLAN interface 30 Sysname display portal Vlan interface 30 Portal information of Vlan interface30 NAS ID profile Not configured Authorization Strict checking ACL Disable User profile Disable IPv4 Portal status Enabled Authentication type Direct Portal Web server pt active Secondary portal Web server wbs sec Authentication domain test Pre auth domain Not configured Extend auth domain def User d...

Page 233: ...al configuration on the interface Radio ID ID of the radio SSID Service set identifier NAS ID profile NAS ID profile on the interface VSRP instance Name of the VSRP instance on the interface VSRP state VSRP state of the interface Master The device acts as the master in the VSRP instance Backup The device acts as the backup in the VSRP instance Down The device is not running in the VSRP instance Th...

Page 234: ... device is in standalone state This state occurs when the backup device and the master device cannot communicate with each other A typical reason is that the failover link is disconnected B_Hello The backup device is building a TCP connection with the master device negotiating the VSRP state and portal enabling state on the interface B_Report The backup device is sending portal user information to...

Page 235: ...time Portal temp pass Status of the temporary pass feature Enabled The temporary pass feature is enabled Disabled The temporary pass feature is disabled Period Temporary pass period during which a user can access the Internet temporarily This field is displayed only if the temporary pass feature is enabled Action for server detection Portal server detection configuration on the interface Server ty...

Page 236: ... extend auth server mail Mail protocol POP3 Table 18 Command output Field Description Portal extend auth server Type of the third party authentication server Authentication URL URL of the QQ authentication server APP ID APP ID for QQ authentication APP key APP key for QQ authentication Redirect URL Redirection URL for QQ authentication success Mail protocol Protocols of the email authentication se...

Page 237: ...er with MAC address 0015 e9a6 7cfe Sysname display portal local binding mac address 0015 e9a6 7cfe Total MAC addresses 1 Mac address User name 0015 e9a6 7cfe wlan_user1 Table 19 Command output Field Description Mac address MAC address of a portal user User name Username of a portal user Related commands local binding enable display portal mac trigger server Use display portal mac trigger server to...

Page 238: ... 4 2 Port 50100 VPN instance Not configured Aging time 300 seconds Free traffic threshold 0 bytes NAS Port Type Not configured Binding retry times 3 Binding retry interval 1 seconds Authentication timeout 3 minutes Local binding Disabled Local binding aging time 12 hours Display information about the MAC binding server ms1 Sysname display portal mac trigger server name ms1 Portal mac trigger serve...

Page 239: ...entication NAS Port Type NAS Port Type attribute value in RADIUS request packets sent to the RADIUS server Binding retry times Maximum number of attempts for sending MAC binding queries to the MAC binding server Binding retry interval Interval at which the device sends MAC binding queries to the MAC binding server Authentication timeout Maximum amount of time that the device waits for portal authe...

Page 240: ...lay packet statistics for portal authentication server pts Sysname display portal packet statistics server pts Portal server pts Invalid packets 0 Pkt Type Total Drops Errors REQ_CHALLENGE 3 0 0 ACK_CHALLENGE 3 0 0 REQ_AUTH 3 0 0 ACK_AUTH 3 0 0 REQ_LOGOUT 1 0 0 ACK_LOGOUT 1 0 0 AFF_ACK_AUTH 3 0 0 NTF_LOGOUT 1 0 0 REQ_INFO 6 0 0 ACK_INFO 6 0 0 NTF_USERDISCOVER 0 0 0 NTF_USERIPCHANGE 0 0 0 AFF_NTF_U...

Page 241: ...o the access device after receiving an authentication acknowledgment packet NTF_LOGOUT Forced logout notification packet the access device sent to the portal authentication server REQ_INFO Information request packet ACK_INFO Information acknowledgment packet NTF_USERDISCOVER User discovery notification packet the portal authentication server sent to the access device NTF_USERIPCHANGE User IP chang...

Page 242: ...tics Use display portal redirect statistics to display portal redirect packet statistics Syntax Centralized devices in standalone mode display portal redirect statistics Distributed devices in standalone mode centralized devices in IRF mode display portal redirect statistics slot slot number Distributed devices in IRF mode display portal redirect statistics chassis chassis number slot slot number ...

Page 243: ...ect requests HttpResp Total number of HTTP redirect responses HttpsReq Total number of HTTPS redirect requests HttpsResp Total number of HTTPS redirect responses Related commands reset portal redirect statistics display portal rule Use display portal rule to display portal packet filtering rules Syntax Centralized devices in standalone mode display portal rule all dynamic static ap ap name radio r...

Page 244: ... JH299A Yes MSR954 JH296A JH373A No MSR958 JH300A JH301A No MSR1002 4 1003 8S No MSR2003 Yes MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 Yes MSR4060 4080 No interface interface type interface number Specifies an interface by its type and number slot slot number Specifies a card by its slot number If you do not specify a card this command displays portal packet filtering rules for all cards Distr...

Page 245: ... 2 2 2 MAC 000d 88f8 0eab Interface GigabitEthernet1 0 1 VLAN Any Author ACL Number 3001 Rule 3 Type Static Action Redirect Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Interface GigabitEthernet1 0 1 VLAN Any Protocol TCP Destination IP 0 0 0 0 Mask 0 0 0 0 Port 80 Rule 4 Type Static Action Deny Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Interface GigabitEthernet1 0 1 VLAN Any Destination IP 0 0...

Page 246: ...Ethernet1 0 1 VLAN Any Destination IP 3000 1 Prefix length 64 Port Any Rule 2 Type Dynamic Action Permit Status Active Source IP 3000 1 MAC 0015 e9a6 7cfe Interface GigabitEthernet1 0 1 VLAN Any Author ACL Number 3001 Rule 3 Type Static Action Redirect Status Active Source IP Prefix length 0 Interface GigabitEthernet1 0 1 VLAN Any Protocol TCP Destination IP Prefix length 0 Port 80 Rule 4 ...

Page 247: ...Centralized devices in standalone mode Display all portal packet filtering rules on AP ap1 Wireless application Sysname display portal rule all ap ap1 Slot 1 IPv4 portal rules on ap1 Radio ID 1 SSID portal Rule 1 Type Static Action Permit Protocol Any Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Port 23 MAC 0000 0000 0000 Interface WLAN BSS1 0 1 VLAN any Destination IP 192 168 0 111 Mask 255 255 2...

Page 248: ... Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Interface WLAN BSS1 0 1 VLAN Any Destination IP 0 0 0 0 Mask 0 0 0 0 Distributed devices in standalone mode centralized in IRF mode Display all portal packet filtering rules on GigabitEthernet 1 0 1 for the specified slot Wired application Sysname display portal rule all interface gigabitethernet 1 0 1 slot 1 Slot 1 IPv4 portal rules on GigabitEthernet...

Page 249: ...0d 88f8 0eab Interface GigabitEthernet1 0 1 VLAN Any Author ACL Number 3001 Rule 3 Type Static Action Redirect Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Interface GigabitEthernet1 0 1 VLAN Any Protocol TCP Destination IP 0 0 0 0 Mask 0 0 0 0 Port 80 Rule 4 Type Static Action Deny Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Interface GigabitEthernet1 0 1 VLAN Any Destination IP 0 0 0 0 Mask 0 0...

Page 250: ...1 VLAN Any Destination IP 3000 1 Prefix length 64 Port Any Rule 2 Type Dynamic Action Permit Status Active Source IP 3000 1 MAC 0015 e9a6 7cfe Interface GigabitEthernet1 0 1 VLAN Any Author ACL Number 3001 Rule 3 Type Static Action Redirect Status Active Source IP Prefix length 0 Interface GigabitEthernet1 0 1 VLAN Any Protocol TCP Destination IP Prefix length 0 Port 80 Rule 4 Type Static ...

Page 251: ...dalone mode centralized in IRF mode Display all portal packet filtering rules on AP ap1 Wireless application Sysname display portal rule all ap ap1 Slot 1 IPv4 portal rules on ap1 Radio ID 1 SSID portal Rule 1 Type Static Action Permit Protocol Any Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Port 23 MAC 0000 0000 0000 Interface WLAN BSS1 0 1 VLAN any Destination IP 192 168 0 111 Mask 255 255 255 ...

Page 252: ...0 Mask 0 0 0 0 Port 80 Rule 4 Type Static Action Deny Status Active Source IP 0 0 0 0 Mask 0 0 0 0 Interface WLAN BSS1 0 1 VLAN Any Destination IP 0 0 0 0 Mask 0 0 0 0 Table 23 Command output Field Description Radio ID ID of the radio SSID Service set identifier Rule Number of the portal rule IPv4 portal packet filtering rules and IPv6 portal packet filtering rules are numbered separately Type Typ...

Page 253: ...er 3 interface on which the portal rule is implemented VLAN Source VLAN ID Protocol Protocol type for the portal rule Destination Destination information of the portal rule IP Destination IP address Port Destination transport layer port number Mask Subnet mask of the destination IPv4 address Prefix length Prefix length of the destination IPv6 address Author ACL Authorized ACL assigned to authentic...

Page 254: ...an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command displays statistics for all cards Distributed devices in IRF mode Examples Centralized devices in standalone mode Display portal safe redirect packet statistics Sysname display portal safe redire...

Page 255: ... Command output Field Description Success Number of packets redirected successfully Failure Number of packets failed redirection Total Total number of packets Method statistics Statistics of HTTP request methods Get Number of packets with the GET request method Post Number of packets with the POST request method Other Number of packets with other request methods User agent statistics Browser types...

Page 256: ...2 168 0 111 VPN instance vpn1 Port 50100 Server detection Timeout 60s Action log trap User synchronization Timeout 200s Status Up Exclude attribute Not configured Table 25 Command output Field Description Type Portal authentication server type This field always displays IMC which indicates the IMC server Portal server Name of the portal authentication server IP IP address of the portal authenticat...

Page 257: ...rface interface type interface number ip ipv4 address ipv6 ipv6 address pre auth interface interface type interface number ip ipv4 address ipv6 ipv6 address verbose Views Any view Predefined user roles network admin network operator Parameters all Displays information about all portal users ap ap name Specifies an AP by its name a case insensitive string of 1 to 64 characters Valid characters are ...

Page 258: ...bout authenticated portal users verbose Displays detailed information about portal users Examples Display information about all portal users Wired application Sysname display portal user all Total portal users 2 Username abc Portal server pts State Online VPN instance N A MAC IP VLAN Interface 000d 88f8 0eab 2 2 2 2 GigabitEthernet1 0 1 Authorization information DHCP IP pool N A User profile abc a...

Page 259: ...Name of the authorized IP address pool If no IP address pool is authorized for the portal user this field displays N A User profile Authorized user profile N A The AAA server authorizes no user profile active The AAA server has authorized the user profile successfully inactive The AAA server failed to authorize the user profile or the user profile does not exist on the device ACL number Authorized...

Page 260: ...tive User profile portal active Max multicast addresses 4 Multicast address list 1 2 3 1 1 34 33 1 3 123 123 3 4 5 6 7 2 2 2 2 3 3 3 3 4 4 4 4 Flow statistic Uplink packets bytes 7 546 Downlink packets bytes 0 0 ITA level 1 uplink packets bytes 4 32 downlink packets bytes 2 12 level 2 uplink packets bytes 0 0 downlink packets bytes 0 0 Table 27 Command output Field Description Current IP address I...

Page 261: ...dle timeout period and the minimum traffic threshold If idle cut is not authorized this field displays N A Session duration Session duration and the remaining session time If the session duration is not authorized this field displays N A Remaining traffic Remaining traffic for the portal user If the remaining traffic is not authorized this field displays N A Login time Time when the user logged in...

Page 262: ... ITA statistics for the portal user level n uplink packets bytes Packet and byte statistics of the upstream traffic in accounting level n Number n is in the range of 1 to 8 level n downlink packets bytes Packet and byte statistics of the downstream traffic in accounting level n Number n is in the range of 1 to 8 Display information about all portal users Wireless application Sysname display portal...

Page 263: ...rized user profile N A The AAA server authorizes no user profile active The AAA server has authorized the user profile successfully inactive The AAA server failed to authorize the user profile or the user profile does not exist on the device ACL number Authorized ACL N A The AAA server authorizes no ACL active The AAA server has authorized the ACL successfully inactive The AAA server failed to aut...

Page 264: ... A User profile N A Max multicast addresses 4 Flow statistic Uplink packets bytes 6 412 Downlink packets bytes 0 0 Table 29 Command output Field Description AP name Name of the AP Radio ID Radio ID SSID Service set identifier Current IP address IP address of the portal user after passing authentication Original IP address IP address of the portal user during authentication Username Name of the por...

Page 265: ...not authorized this field displays N A Session duration Session duration and the remaining session time If the session duration is not authorized this field displays N A Remaining traffic Remaining traffic for the portal user If the remaining traffic is not authorized this field displays N A Login time Time when the user logged in The field uses the device time format for example 2023 1 19 2 42 30...

Page 266: ...et and byte statistics of the downstream traffic Related commands portal enable display portal web server Use display portal web server to display information about portal Web servers Syntax display portal web server server name Views Any view Predefined user roles network admin network operator Parameters server name Specifies a portal Web server by its name a case sensitive string of 1 to 32 cha...

Page 267: ...tate of the portal Web server N A Portal Web server detection is disabled Reachability status of the server is unknown Up Portal Web server detection is enabled The server is reachable Down Portal Web server detection is enabled The server is unreachable Captive bypass Status of the captive bypass feature Disabled Captive bypass is disabled Enabled Captive bypass is enabled Optimize Enabled Optimi...

Page 268: ... JH299A JH373A Yes MSR958 JH300A JH301A No MSR1002 4 1003 8S No MSR2003 Yes MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 Yes MSR4060 4080 No interface interface type interface number Specifies an interface by its type and number slot slot number Specifies a card by its slot number If you do not specify a card this command displays Web redirect rules for the active MPU Distributed devices in stand...

Page 269: ...e Static Action Redirect Status Active Source VLAN Any Protocol TCP Destination Port 80 Display all Web redirect rules on AP ap1 Wireless application Sysname display web redirect rule ap ap1 IPv4 web redirect rules on ap1 Radio ID 1 SSID portal Rule 1 Type Dynamic Action Permit Status Active Source IP 192 168 2 114 VLAN Any Rule 2 Type Static Action Redirect Status Active Source VLAN Any Protocol ...

Page 270: ...ce VLAN If not specified this field displays Any Protocol Transport layer protocol in the Web redirect rule Any No transport layer protocol is limited TCP Transmission Control Protocol Destination Destination information in the Web redirect rule Port Destination transport layer port number The default port number is 80 exclude attribute Use exclude attribute to exclude an attribute from portal pro...

Page 271: ... any string excluding the end character 0 This attribute can exist in any packet from the device to the portal server A packet can contain multiple TextInfo attributes As a best practice carry only one TextInfo attribute in a packet UpLinkFlux 6 Uplink output traffic of the user an 8 byte unsigned integer in KB DownLinkFlux 7 Downlink input traffic of the user an 8 byte unsigned integer in KB Port...

Page 272: ... traffic threshold Default The free traffic threshold is 0 bytes Views MAC binding server view Predefined user roles network admin Parameters value Specifies the free traffic threshold in the range of 0 to 10240000 bytes If the free traffic threshold is set to 0 the device immediately triggers MAC based quick portal authentication for a user once the user s traffic is deleted Usage guidelines Afte...

Page 273: ...ng url param encryption aes des key cipher simple string user agent string redirect url url string undo if match original url url string user agent user agent Default No URL redirection match rules exist Views Portal Web server view Predefined user roles network admin Parameters original url url string Specifies a URL string to match the URL in HTTP or HTTPS requests of a portal user The specified...

Page 274: ...TPS requests from unauthenticated users to the portal Web server for authentication The if match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs If both commands are executed the if match command takes priority to perform URL redirection If you configure encryption for parameters in the redirection URL you must add an encrypti...

Page 275: ...th the shared key The receiver uses the authenticator to verify the correctness of the received portal packets If you do not specify a shared key the device and MAC binding server do not authenticate the packets between them cipher Specifies a shared key in encrypted form simple Specifies a shared key in plaintext form For security purposes the key specified in plaintext form will be stored in enc...

Page 276: ...e received portal packets cipher Specifies a key in encrypted form simple Specifies a key in plaintext form For security purposes the key specified in plaintext form will be stored in encrypted form string Specifies the key Its plaintext form is a case sensitive string of 1 to 64 characters Its encrypted form is a case sensitive string of 33 to 117 characters Usage guidelines A portal authenticati...

Page 277: ...d portal packets cipher Specifies a key in encrypted form simple Specifies a key in plaintext form For security purposes the key in plaintext form will be stored in encrypted form string Specifies the key Its plaintext form is a case sensitive string of 1 to 64 characters Its encrypted form is a case sensitive string of 33 to 117 characters Usage guidelines A portal authentication server has only ...

Page 278: ...MAC trigger authentication the device does not delete existing local MAC account binding entries These entries are automatically deleted when they age out Examples Set the aging time of local MAC account binding entries to 24 hours for MAC binding server mts Sysname system view Sysname portal mac trigger server mts Sysname portal mac trigger server mts local binding aging time 24 Related commands ...

Page 279: ...om the authentication page file Syntax logon page bind device type type name ssid ssid name file file name undo logon page bind all device type type name ssid ssid name Default No SSID or endpoint type is bound to an authentication page file Views Local portal Web server view Predefined user roles network admin Parameters all Specifies all SSIDs or endpoint types device type type name Specifies an...

Page 280: ...these restrictions and guidelines If the name or content of the file in a binding entry is changed you must reconfigure the binding To reconfigure or modify a binding simply re execute this command without canceling the existing binding If you execute this command multiple times to bind an SSID or endpoint type to different authentication page files the most recent configuration takes effect Examp...

Page 281: ... value carried in RADIUS requests sent to the RADIUS server Use undo nas port type to restore the default Syntax nas port type value undo nas port type Default The NAS Port Type value carried in RADIUS requests is 0 Views MAC binding server view Predefined user roles network admin Parameters value Specifies the NAS Port Type value in the range of 1 to 255 Usage guidelines Some MAC binding servers ...

Page 282: ... specified port number must be the same as the query listening port number configured on the MAC binding server Examples Set the UDP port number to 1000 for the MAC binding server pts to listen for MAC binding query packets sysname system view sysname portal mac trigger server mts sysname portal mac trigger server mts port 1000 Related commands display mac trigger server port portal authentication...

Page 283: ...ortal packets sent to the portal authentication server Use undo portal bas ip bas ipv6 to delete the BAS IP or BAS IPv6 attribute setting Syntax Interface view portal bas ip ipv4 address bas ipv6 ipv6 address undo portal bas ip bas ipv6 Service template view portal bas ip ipv4 address undo portal bas ip Default The BAS IP attribute of an IPv4 portal reply packet sent to the portal authentication s...

Page 284: ...t output interface You must configure the BAS IP or BAS IPv6 attribute on a portal authentication enabled interface if the following conditions are met The portal authentication server is an HPE IMC server or the portal authentication mode on the interface is re DHCP The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interfa...

Page 285: ...ned number of IPv4 and IPv6 portal users specified on all interfaces or service templates does not exceed the system allowed maximum number Otherwise the exceeding portal users will not be able to log in to the device Examples Set the maximum number of IPv4 portal users to 100 on GigabitEthernet 1 0 1 Wired application Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthe...

Page 286: ...t 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 portal apply mac trigger server mts Related commands portal mac trigger server portal apply web server Use portal ipv6 apply web server to specify a portal Web server The device redirects the HTTP or HTTPS requests sent by unauthenticated portal users to the portal Web server Use undo portal ipv6 apply...

Page 287: ...comes reachable the device switches back to the primary portal Web server for portal authentication To automatically switch between the primary portal Web server and the backup portal Web server configure portal Web server detection on both servers Examples Specify portal Web server wbs as the backup portal Web server on GigabitEthernet 1 0 1 for portal authentication Wired application Sysname sys...

Page 288: ...ice or the ACL user profile fails to be deployed Examples Enable strict checking on authorized ACLs on GigabitEthernet 1 0 1 Wired application Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 portal authorization acl strict checking Enable strict checking on authorized ACLs on service template service1 Wireless application Sysname system view Sysname wlan se...

Page 289: ... ipv4 address all interface interface type interface number ipv6 ipv6 address Views System view Predefined user roles network admin Parameters ipv4 address Specifies the IP address of an IPv4 online portal user all Specifies IPv4 and IPv6 online portal users on all interfaces interface interface type interface number Specifies an interface by its type and number If you specify this option this com...

Page 290: ... Examples Set the device ID of the device to 0002 0010 100 00 Sysname system view Sysname portal device id 0002 0010 100 00 portal domain Use portal ipv6 domain to configure a portal authentication domain on an interface or a service template All portal users accessing through the interface or service template must use the authentication domain Use undo portal ipv6 domain to delete the configured ...

Page 291: ...Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 portal domain my domain Configure the authentication domain as my domain for IPv4 portal users on service template service1 Wireless application Sysname system view Sysname wlan service template service1 Sysname wlan st service1 portal domain my domain Related commands display portal portal enable Use portal ipv6 enable to enable...

Page 292: ... direct portal authentication is supported on a service template Do not enable portal authentication on both an interface and a service template Examples Enable direct IPv4 portal authentication on GigabitEthernet 1 0 1 Wired application Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 portal enable method direct Enable direct IPv4 portal authentication on s...

Page 293: ...play portal portal extend auth server Use portal extend auth server to create a third party authentication server and enter its view or enter the view of an existing third party authentication server Use undo portal extend auth server to delete a third party authentication server Syntax portal extend auth server qq mail undo portal extend auth server qq mail Default No third party authentication s...

Page 294: ... fail permit server server name undo portal ipv6 fail permit server Default Portal fail permit is disabled for the portal authentication server Views Interface view Predefined user roles network admin Parameters ipv6 Specifies an IPv6 portal authentication server Do not specify this keyword for an IPv4 portal authentication server server name Specifies a portal authentication server by its name a ...

Page 295: ...ortal ipv6 fail permit web server to disable the portal fail permit feature for portal Web servers Syntax Interface view portal ipv6 fail permit web server undo portal ipv6 fail permit web server Service template view portal fail permit web server undo portal fail permit web server Default Portal fail permit is disabled for portal Web servers Views Interface view Service template view Predefined u...

Page 296: ...template the portal Web server is unreachable when both the primary and backup portal Web servers are unreachable Before you configure this feature for a service template make sure the service template is disabled Examples Enable portal fail permit for the portal Web servers on service template service1 Sysname system view Sysname wlan service template service1 Sysname wlan st service1 portal fail...

Page 297: ...ination subnet takes effect Examples Configure an IPv4 portal authentication destination subnet of 11 11 11 0 24 on GigabitEthernet 1 0 1 Portal users need to pass authentication to access this subnet and can access other subnets without authentication Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 portal free all except destination 11 11 11 0 24 Related c...

Page 298: ...ou specify only one keyword the other keyword does not act as a filtering criterion If you specify both a source port number and a destination port number for a portal free rule the two port numbers must belong to the same transport layer protocol If you do not specify a Layer 3 interface the portal free rule takes effect on all portal enabled interfaces You cannot configure two portal free rules ...

Page 299: ...3 characters Valid characters are letters digits hyphens underscores _ dots and asterisks The host name string cannot be ip and ipv6 all Specifies all portal free rules Usage guidelines You can configure a host name in one of the following ways For exact match Specify a complete host name For example if you configure the host name as abc com cn in the portal free rule only packets that contain the...

Page 300: ...ce based portal free rules exist Views System view Predefined user roles network admin Parameters rule number Specifies a portal free rule number The value range for this argument is 0 to 4294967295 interface interface type interface number Specifies a source interface by its type and number for the portal free rule mac mac address Specifies a source MAC address for the portal free rule in the for...

Page 301: ...4 Yes MSR4060 4080 No By default the device checks wireless portal client validity according to ARP entries only In wireless networks where the AP forwards client traffic the AC does not have ARP entries for clients Therefore the AC cannot check the validity of portal clients by using ARP entries To ensure that valid users can perform portal authentication you must enable wireless client validity ...

Page 302: ...on subnet except IP addresses and subnets specified in portal free rules The users can access other subnets without portal authentication You can configure multiple authentication destination subnets If you do not specify the ipv6 network address argument in the undo portal ipv6 free all except destination command this command deletes all IPv6 portal authentication destination subnets on the inter...

Page 303: ...s argument in the undo portal ipv6 layer3 source command this command deletes all IPv6 portal authentication source subnets on the interface Only cross subnet authentication supports authentication source subnets If you configure both an authentication source subnet and an authentication destination subnet on an interface only the authentication destination subnet takes effect Examples Configure a...

Page 304: ... the user ND detection Sends ND requests to the user and detects the ND entry status of the user at configurable intervals If the ND entry of the user is refreshed within the maximum number of detection attempts the device considers that the user is online and stops detecting the user s ND entry Then the device resets the idle timer and repeats the detection process when the timer expires If the N...

Page 305: ...nauthenticated IPv4 user is not on any authentication source subnet the access device discards all the user s packets that do not match any portal free rule If you do not specify the ipv4 network address argument in the undo portal layer3 source command this command deletes all IPv4 portal authentication source subnets on the interface Only cross subnet authentication supports authentication sourc...

Page 306: ...d For an interface to use the local portal Web server the URL of the portal Web server specified for the interface must meet the following requirements The IP address in the URL must be a local IP address on the device The URL must be ended with portal For example http 1 1 1 1 portal You cannot delete an SSL server policy by using the undo ssl server policy command when the policy is associated wi...

Page 307: ...erver name Specifies a MAC binding server name a case sensitive string of 1 to 32 characters Usage guidelines After you create a MAC binding server you can configure MAC binding server parameters such as the server s IP address and the free traffic threshold Examples Create the MAC binding server mts and enter its view Sysname system view Sysname portal mac trigger server mts Sysname portal mac tr...

Page 308: ...er of IPv4 and IPv6 portal users specified on all interfaces or service templates does not exceed the system allowed maximum number Otherwise the exceeding portal users will not be able to log in to the device Examples Set the maximum number of online portal users allowed in the system to 100 Sysname system view Sysname portal max user 100 Related commands display portal user portal ipv4 max user ...

Page 309: ...attribute format Use undo portal nas port id format to restore the default Syntax portal nas port id format 1 2 3 4 undo portal nas port id format Default The format for the NAS Port ID attribute is format 2 Views System view Predefined user roles network admin Parameters 1 Uses format 1 for the NAS Port ID attribute Format 1 is expressed as follows atm eth trunk NAS_slot NAS_subslot NAS_port XPI ...

Page 310: ...ireless Specifies the NAS Port Type attribute value as WLAN IEEE 802 11 number 19 Usage guidelines The following matrix shows the support of the MSR routers for this command in different views Hardware Interface view Service template view MSR954 JH296A JH297A JH298A JH299A JH373A Yes Yes MSR958 JH300A JH301A Yes No MSR1002 4 1003 8S Yes Yes MSR2003 No Yes MSR2004 24 2004 48 Yes Yes MSR3012 3024 30...

Page 311: ...utgoing packets filtering on a portal enabled interface Syntax portal ipv6 outbound filter enable undo portal ipv6 outbound filter enable Default Outgoing packets filtering is disabled A portal enabled interface can send any packets Views Interface view Predefined user roles network admin Parameters ipv6 Specifies outgoing IPv6 packets If you do not specify this keyword the command is for outgoing...

Page 312: ... ACL user profile and CAR An unauthenticated user who is authorized with the authorization attributes in a preauthentication domain is called a preauthentication user 2 After the user passes portal authentication the user is assigned with new authorization attributes from the AAA server 3 After the user goes offline the user is reassigned with the authorization attributes in the preauthentication ...

Page 313: ...e auth domain abc Related commands display portal portal packet log enable Use portal packet log enable to enable logging for portal protocol packets Use undo portal packet log enable to disable logging for portal protocol packets Syntax portal packet log enable undo portal packet log enable Default Portal protocol packet logging is disabled Views System view Predefined user roles network admin Us...

Page 314: ... portal enabled interface The subinterface does not have an IP address Portal users need to obtain IP addresses through DHCP DHCP assigns an IP address from the specified IP address pool to a user Then the user can use this IP address to perform portal authentication The specified IP address pool takes effect when the following requirements are met The direct portal authentication mode is used on ...

Page 315: ...d Monitoring Configuration Guide Examples Enable logging for portal redirect Sysname system view Sysname portal redirect log enable Related commands portal packet log enable portal user log enable portal refresh enable Use portal refresh arp nd enable to enable ARP or ND entry conversion for portal clients Use undo portal refresh arp nd enable to disable ARP or ND entry conversion for portal clien...

Page 316: ... enable portal roaming Use undo portal roaming enable to disable portal roaming Syntax portal roaming enable undo portal roaming enable Default Portal roaming is disabled An online portal user cannot roam in its VLAN Views System view Predefined user roles network admin Usage guidelines Portal roaming applies only to portal users that log in from VLAN interfaces This command cannot be executed whe...

Page 317: ...ples Enable the portal safe redirect feature Sysname system view Sysname portal safe redirect enable Related commands portal safe redirect forbidden url portal safe redirect method portal safe redirect user agent portal safe redirect forbidden url Use portal safe redirect forbidden url to configure a URL forbidden by portal safe redirect Use undo portal safe redirect forbidden url to delete a port...

Page 318: ...methods permitted by portal safe redirect Syntax portal safe redirect method get post undo portal safe redirect method get post Default After portal safe redirect is enabled the device redirects only HTTP requests with the GET method Views System view Predefined user roles network admin Parameters get Specifies the GET request method post Specifies the POST request method Usage guidelines After yo...

Page 319: ...s You can specify the browser types as shown in Table 33 Table 33 Browser types supported by portal safe redirect Browser type Description Safari Apple browser Chrome Google browser Firefox Firefox browser UC UC browser QQBrowser QQ browser LBBROWSER Cheetah browser TaoBrowser Taobao browser Maxthon Maxthon browser BIDUBrowser Baidu browser MSIE 10 0 Microsoft IE 10 0 browser MSIE 9 0 Microsoft IE...

Page 320: ...min Parameters server name Specifies a portal authentication server by its name a case sensitive string of 1 to 32 characters Usage guidelines In portal authentication server view you can configure the following parameters and features for the portal authentication server IP address of the server Destination UDP port number used by the device to send unsolicited portal packets to the portal authen...

Page 321: ... portal authentication During the temporary pass period the user provides WeChat authentication information to the WeChat server for the server to interact with the access device to finish portal authentication Examples On GigabitEthernet 1 0 1 enable portal temporary pass and set the temporary pass period to 25 seconds Wired application Sysname system view Sysname interface gigabitethernet 1 0 1 ...

Page 322: ...sname system view Sysname portal traffic accounting disable portal user detect Use portal user detect to enable online detection of IPv4 portal users Use undo portal user detect to disable online detection of IPv4 portal users Syntax portal user detect type arp icmp retry retries interval interval idle time undo portal user detect Default Online detection of IPv4 portal users is disabled Views Int...

Page 323: ...mber of detection attempts the device logs out the user Direct authentication and re DHCP authentication support both ARP detection and ICMP detection Cross subnet authentication only supports ICMP detection If firewall policies on the access device filter out ICMP packets ICMP detection might fail and result in the logout of portal users Make sure the access device does not block ICMP packets bef...

Page 324: ...addresses obtained through DHCP on GigabitEthernet 1 0 1 Wired application Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 portal user dhcp only Enable portal authentication only for users with IP addresses obtained through DHCP on service template service1 Wireless application Sysname system view Sysname wlan service template service1 Sysname wlan st servi...

Page 325: ...ter client offline enable portal user log enable Use portal user log enable to enable logging for portal user logins and logouts Use undo portal user log enable to disable logging for portal user logins and logouts Syntax portal user log enable undo portal user log enable Default Portal user login and logout logging is disabled Views System view Predefined user roles network admin Usage guidelines...

Page 326: ...ifies a portal Web server by its name a case sensitive string of 1 to 32 characters Usage guidelines The portal Web server pushes portal authentication pages to portal users during authentication The access device redirects HTTP requests of unauthenticated portal users to the portal Web server In portal Web server view you can configure the URL and URL parameters for the portal Web server and the ...

Page 327: ...ew Sysname portal extend auth server qq Sysname portal extend auth server qq redirect url http www abc com portal qqlogin html Related commands display portal extend auth server reset portal packet statistics Use reset portal packet statistics to clear packet statistics for portal authentication servers Syntax reset portal packet statistics mac trigger server server server name server server name ...

Page 328: ...roles network admin mdc admin Parameters slot slot number Specifies a card by its slot number If you do not specify a card this command clears portal redirect packet statistics for all cards Distributed devices in standalone mode slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command clears portal redirect packet statistics for all membe...

Page 329: ... mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command clears statistics for all cards Distributed devices in IRF mode Examples Centralized devices in standalone mode Clear portal safe...

Page 330: ...ve only when the portal authentication server supports server heartbeat Now only the IMC portal authentication server supports server heartbeat The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication server If the device receives portal packets from the portal authentication server before the detection timeout expire...

Page 331: ...iginal state and the current state of the portal Web server trap When reachability status of the portal Web server changes the device sends a trap message to the NMS The trap message contains the name and the current state of the portal Web server Usage guidelines The access device performs server detection independently No configuration on the portal Web server is required for the detection Examp...

Page 332: ...r type to restore the default Syntax server type imc undo server type Default The type of the portal authentication server and portal Web server is IMC Views Portal authentication server view Portal Web server view Predefined user roles network admin Parameters imc Specifies the portal server type as IMC Usage guidelines Specify the portal server type on the device with the server type the device ...

Page 333: ...portal authentication follow these guidelines Do not configure the listening TCP port number for a local portal Web server as the port number used by a known protocol For example do not specify port numbers 21 and 23 which are used by FTP and Telnet respectively Do not configure the HTTP listening port number as the default HTTPS listening port number 443 Do not configure the HTTPS listening port ...

Page 334: ... http www test com portal Related commands display portal web server url parameter Use url parameter to configure the parameters carried in the URL of a portal Web server The access device redirects a portal user by sending the URL with the parameters to the user Use undo url parameter to delete the parameters carried in the URL of the portal Web server Syntax url parameter param name nas id nas p...

Page 335: ...h these parameters to portal users For example assume that the URL of a portal Web server is http www test com portal and you execute the url parameter userip source address and url parameter userurl value http www abc com welcome commands Then the access device sends to the user whose IP address is 1 1 1 1 the URL http www test com portal userip 1 1 1 1 userurl http www abc com welcome When you c...

Page 336: ...o user sync to disable portal user synchronization for a portal authentication server Syntax user sync timeout timeout undo user sync Default Portal user synchronization is disabled for a portal authentication server Views Portal authentication server view Predefined user roles network admin Parameters timeout timeout Sets a detection timeout for synchronization packets in the range of 60 to 18000...

Page 337: ... logs out the user Sysname system view Sysname portal server pts Sysname portal server pts user sync timeout 600 Related commands portal server version Use version to specify the version of the portal protocol Use undo version to restore the default Syntax version version number undo version Default The version of the portal protocol is 1 Views MAC binding server view Predefined user roles network...

Page 338: ...t represents the VPN instance name a case sensitive string of 1 to 31 characters Usage guidelines A portal Web server belongs to only one MPLS L3VPN Examples Specify MPLS L3VPN instance abc for portal Web server wbs Sysname system view Sysname portal web server wbs Sysname portal websvr wbs vpn instance abc web redirect url Use web redirect url to enable the Web redirect feature Use undo web redir...

Page 339: ...ain Web redirect does not work when both Web redirect and portal authentication are enabled On a service template both Web redirect and portal authentication can be enabled and will take effect at the same time The Web redirect feature takes effect only on HTTP packets that use the default port number 80 Examples Configure IPv4 Web redirect on GigabitEthernet 1 0 1 Set the redirect URL to http 192...

Page 340: ...ly to MSR4060 and MSR4080 routers display port security Use display port security to display port security configuration operation information and statistics for ports Syntax display port security interface interface type interface number Views Any view Predefined user roles network admin network operator Parameters interface interface type interface number Specifies a port by its type and number ...

Page 341: ...rt that receives illegal packets MAC move Status of MAC move If the feature is enabled this field displays Permitted If the feature is disabled this field displays Denied Authorization fail Action to be taken for users who fail ACL authorization Online Allows the users to go online Offline Logs off the users NAS ID profile NAS ID profile applied globally Dot1x failure trap Whether SNMP notificatio...

Page 342: ...cast Allows only unicast packets and broadcasts with authenticated destination MAC addresses NeedToKnowWithMulticast Allows unicast packets multicasts and broadcasts with authenticated destination MAC addresses Disabled NTK is disabled Intrusion protection mode Intrusion protection action BlockMacAddress Adds the source MAC address of the illegal packet to the blocked MAC address list DisablePort ...

Page 343: ... operator Parameters interface interface type interface number Specifies a port by its type and number vlan vlan id Specifies a VLAN by its ID The value range is 1 to 4094 count Displays only the count of the blocked MAC addresses Usage guidelines If you do not specify any parameters this command displays information about all blocked MAC addresses Examples Centralized devices in standalone mode D...

Page 344: ... MAC addresses Sysname display port security mac address block count On slot 0 no MAC address found On slot 1 1 MAC address es found 1 mac address es found Distributed devices in IRF mode Display the count of all blocked MAC addresses Sysname display port security mac address block count On slot 0 in chassis 1 no MAC address found On slot 1 in chassis 1 1 MAC address es found 1 mac address es foun...

Page 345: ...terface gigabitethernet 1 0 1 MAC ADDR Port VLAN ID 000d 88f8 0577 GE1 0 1 1 1 mac address es found Distributed devices in standalone mode centralized devices in IRF mode Display information about all blocked MAC addresses of GigabitEthernet 1 0 1 Sysname display port security mac address block interface gigabitethernet 1 0 1 MAC ADDR Port VLAN ID 000f 3d80 0d2d GE1 0 1 30 On slot 1 1 MAC address ...

Page 346: ...t security mac address block interface gigabitethernet 1 0 1 vlan 30 MAC ADDR Port VLAN ID 000f 3d80 0d2d GE1 0 1 30 On slot 1 in chassis 1 1 MAC address es found 1 mac address es found Table 35 Command output Field Description slot n Member device with member ID n Centralized devices in IRF mode Card in slot n Distributed devices in standalone mode slot n in chassis x Card in slot n on IRF member...

Page 347: ...es Sysname display port security mac address security MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 0002 0002 0002 1 Security GE1 0 1 NOAGED 000d 88f8 0577 1 Security GE1 0 1 28 2 mac address es found Display only the count of the secure MAC addresses Sysname display port security mac address security count 2 mac address es found Display information about secure MAC addresses in VLAN 1 Sysname disp...

Page 348: ... NOAGED number mac address es found Number of secure MAC addresses stored Related commands port security mac address security port security authorization ignore Use port security authorization ignore to configure a port to ignore the authorization information received from the authentication server a RADIUS server or the local device Use undo port security authorization ignore to restore the defau...

Page 349: ...feature is disabled The device does not log off users who fail ACL authorization Views System view Predefined user roles network admin Usage guidelines The authorization fail offline feature logs off port security users who fail ACL authorization A user fails ACL authorization in the following situations The device fails to authorize the specified ACL to the user The server assigns a nonexistent A...

Page 350: ...the online users Examples Enable port security Sysname system view Sysname port security enable Related commands display port security dot1x dot1x port control dot1x port method mac authentication port security intrusion mode Use port security intrusion mode to configure the intrusion protection feature so the port takes the predefined actions when intrusion protection detects illegal frames on th...

Page 351: ...SWP SIC 4GSW SIC 4GSWP Fixed Layer 2 Ethernet ports on the following routers MSR954 JH296A JH297A JH298A JH299A JH373A NSR958 JH300A JH301A MSR2004 24 2004 48 MSR1002 4 1003 8S To restore the connection of the port disabled by the intrusion protection feature use the undo shutdown command Examples Configure GigabitEthernet 1 0 1 to block the source MAC addresses of illegal frames after intrusion p...

Page 352: ... view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 port security mac address aging type inactivity Related commands display port security port security mac address dynamic Use port security mac address dynamic to enable the dynamic secure MAC feature Use undo port security mac address dynamic to disable the dynamic secure MAC feature Syntax port security mac address dynamic...

Page 353: ...lan vlan id undo port security mac address security sticky mac address vlan vlan id In system view port security mac address security sticky mac address interface interface type interface number vlan vlan id undo port security mac address security mac address interface interface type interface number vlan vlan id Default No manually configured secure MAC address entries exist Views System view Lay...

Page 354: ...tical except for their entry type For example you cannot add the port security mac address security sticky 1 1 1 vlan 10 entry when a port security mac address security 1 1 1 vlan 10 entry exists To add the new entry you must delete the old entry Examples Enable port security set GigabitEthernet 1 0 1 to operate in autoLearn mode and configure the port to support a maximum number of 100 secure MAC...

Page 355: ...w Sysname port security mac move permit Related commands display port security port security max mac count Use port security max mac count to set the maximum number of secure MAC addresses that port security allows on a port Use undo port security max mac count to restore the default Syntax port security max mac count max count undo port security max mac count Default Port security does not limit ...

Page 356: ...itEthernet1 0 1 port security max mac count 100 Related commands display port security port security nas id profile Use port security nas id profile to apply a NAS ID profile to global or port based port security Use undo port security nas id profile to restore the default Syntax port security nas id profile profile name undo port security nas id profile Default No NAS ID profile is applied to por...

Page 357: ...lt The NTK feature is not configured on a port and all frames are allowed to be sent Views Layer 2 Ethernet interface view Predefined user roles network admin Parameters ntk withbroadcasts Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses ntk withmulticasts Forwards only broadcast frames multicast frames and unicast frames with authenticated destination...

Page 358: ...er roles network admin Parameters index value Specifies the OUI index in the range of 1 to 16 oui value Specifies an OUI string a 48 bit MAC address in the H H H format The system uses only the 24 high order bits as the OUI value Usage guidelines You can configure multiple OUI values An OUI the first 24 binary bits of a MAC address is assigned by IEEE to uniquely identify a device vendor Use this ...

Page 359: ... MAC addresses You can also configure secure MAC addresses by using the port security mac address security command A port in autoLearn mode allows frames sourced from the following MAC addresses to pass Secure MAC addresses MAC addresses configured by using the mac address dynamic and mac address static commands When the number of secure MAC addresses reaches the upper limit set by the port securi...

Page 360: ...nSecure mode except that this mode supports multiple online 802 1X users userlogin secure or mac macAddressOrUserL oginSecure This mode is the combination of the userLoginSecure and macAddressWithRadius modes In this mode the port allows one 802 1X authentication user and multiple MAC authentication users to log in In this mode the port performs 802 1X authentication first If 802 1X authentication...

Page 361: ...on delay is enabled The two modes are mutually exclusive with the MAC authentication delay feature For more information about MAC authentication delay see MAC authentication commands Examples Enable port security and set GigabitEthernet 1 0 1 to operate in secure mode Sysname system view Sysname port security enable Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 port security...

Page 362: ...ng 30 Related commands display port security port security mac address security port security timer disableport Use port security timer disableport to set the silence period during which the port remains disabled Use undo port security timer disableport to restore the default Syntax port security timer disableport time value undo port security timer disableport Default The port silence period is 2...

Page 363: ... for port security Syntax snmp agent trap enable port security address learned dot1x failure dot1x logoff dot1x logon intrusion mac auth failure mac auth logoff mac auth logon undo snmp agent trap enable port security address learned dot1x failure dot1x logoff dot1x logon intrusion mac auth failure mac auth logoff mac auth logon Default All port security SNMP notifications are disabled Views Syste...

Page 364: ... more information about SNMP configuration see the network management and monitoring configuration guide for the device If you do not specify a notification this command enables all SNMP notifications for port security Examples Enable SNMP notifications about MAC address learning Sysname system view Sysname snmp agent trap enable port security address learned Related commands display port security...

Page 365: ...sitive string of 1 to 31 characters Valid characters include English letters digits and underscores _ The name must start with an English letter and must be unique If you do not specify this option the command displays configuration and online user information for all user profiles slot slot number Specifies a card by its slot number If you do not specify this option the command displays user prof...

Page 366: ...Policy p1 Inbound CIR 32 kbps CBS 2048 Bytes EBS 0 Bytes PIR 888 kbps Connection limit rate 100 User user_2 Authentication type Portal Network attributes Interface GigabitEthernet1 0 3 IP address 172 16 187 16 VPN N A Service VLAN 100 Distributed device in standalone mode Display configuration and online user information for all user profiles in slot 2 Sysname display user profile slot 2 User Prof...

Page 367: ...187 166 VPN N A Service VLAN 100 Distributed devices in IRF mode Display configuration and online user information for user profile aaa in slot 2 of IRF member device 1 Sysname display user profile name aaa chassis 1 slot 2 User Profile aaa Inbound CIR 32 kbps CBS 2048 Bytes EBS 0 Bytes PIR 888 kbps Policy p1 Outbound CIR 32 kbps CBS 2048 Bytes EBS 0 Bytes PIR 888 kbps Policy p2 Connection limit a...

Page 368: ...face GigabitEthernet1 2 0 1 MAC address 1111 2222 3333 Failed action list Connection limit rate 200 User user_4 Authentication type PPP Network attributes Interface GigabitEthernet1 2 0 2 Chassis 1 Slot 5 User user_5 Authentication type PPP Network attributes MAC address 2222 3333 4444 Distributed devices in IRF mode Display configuration and online user information for all user profiles Sysname d...

Page 369: ...ice VLAN 100 Table 37 Command output Field Description User Profile User profile name Inbound Policy applied to incoming traffic Outbound Policy applied to outgoing traffic CIR Committed information rate in kbps CBS Committed burst size in bytes EBS Excess burst size in bytes PIR Peak information rate in kbps Connection limit amount Maximum number of user connections set by the connection limits C...

Page 370: ... profile Use undo user profile to delete a user profile Syntax user profile profile name undo user profile profile name Default No user profiles exist Views System view Predefined user roles network admin Parameters profile name Specifies a user profile by its name a case sensitive string of 1 to 31 characters A user profile name can only contain English letters digits and underscores _ and it mus...

Page 371: ...ntrol configuration Sysname display password control Global password control configurations Password control Disabled Password aging Enabled 90 days Password length Enabled 10 characters Password composition Enabled 1 types 1 characters per type Password history Enabled max history records 4 Early notice on password expiration 7 days Maximum login attempts 3 Action for exceeding login attempts Loc...

Page 372: ...er the specified number of attempts Minimum interval between two updates Minimum password update interval Logins with aged password Number of times and maximum number of days a user can log in using an expired password Password complexity Whether the following password complexity checking is enabled username checking Checks whether a password contains the username or the reverse of the username re...

Page 373: ... failures 1 Lock flag unlock Username jj IP 192 168 44 3 Login failures 3 Lock flag lock Table 39 Command output Field Description Blacklist items matched Number of blacklisted users IP IP address of the user Login failures Number of login failures Lock flag Whether the user account is locked for the user unlock Not limited lock Disabled temporarily or permanently depending on the password control...

Page 374: ...sword length restriction feature is disabled the following rules apply In non FIPS mode a password must contain a minimum of 4 characters and a minimum of 4 characters must be different In FIPS mode a password must contain a minimum of 15 characters and a minimum of 4 characters must be different Examples Enable the password control feature globally Sysname system view Sysname password control ena...

Page 375: ...pe has higher priority The system prefers to use the password expiration time in local user view for a local user If no password expiration time is configured for the local user the system uses the password expiration time for the user group to which the local user belongs If no password expiration time is configured for the user group the system uses the global password expiration time Examples G...

Page 376: ...ds changed by the administrator Examples Configure the device to notify a user about pending password expiration 10 days before the user s password expires Sysname system view Sysname password control alert before expire 10 Related commands display password control password control complexity Use password control complexity to configure the password complexity checking policy Use undo password con...

Page 377: ... no policy is configured for the local user the system uses the policy for the user group to which the local user belongs If no policy is configured for the user group the system uses the global policy You can enable both username checking and repeated character checking After the password complexity checking is enabled complexity incompliant passwords will be refused Examples Configure the passwo...

Page 378: ...er of character types that a password must contain The value range for the type number argument is 1 to 4 in non FIPS mode and fixed at 4 in FIPS mode The following character types are available Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Special characters in Table 40 Table 40 Special characters Character name Symbol Character name Symbol Ampersand sign Apostrophe Asterisk At ...

Page 379: ... be smaller than the maximum length of passwords Examples Specify that all passwords must each contain a minimum of four character types and a minimum of five characters for each type Sysname system view Sysname password control composition type number 4 type length 5 Specify that passwords in user group test must contain a minimum of four character types and a minimum of five characters for each ...

Page 380: ...ord control enable Related commands display password control password control aging composition history length enable password control expired user login Use password control expired user login to set the maximum number of days and maximum number of times that a user can log in after the password expires Use undo password control expired user login to restore the defaults Syntax password control e...

Page 381: ... System view Predefined user roles network admin Parameters max record number Specifies the maximum number of history password records for each user The value range is 2 to 15 Usage guidelines When the number of history password records reaches the maximum number the subsequent history record overwrites the earliest one The system stops recording passwords after you execute the undo password contr...

Page 382: ...ssword length in characters The value range for this argument is 4 to 32 in non FIPS mode and 15 to 32 in FIPS mode Usage guidelines The minimum length setting depends on the view The setting in system view has global significance and applies to all user groups The setting in user group view applies to all local users in the user group The setting in local user view applies only to the local user ...

Page 383: ... the maximum account idle time Use undo password control login idle time to restore the default Syntax password control login idle time idle time undo password control login idle time Default The maximum account idle time is 90 days Views System view Predefined user roles network admin Parameters idle time Specifies the maximum account idle time in days The value range is 0 to 365 0 means no restr...

Page 384: ...m number of attempts lock Disables the user account permanently lock time time Disables the user account for a period of time The user can uses this user account when the timer expires The value range for the time argument is 1 to 360 minutes unlock Allows the user account to continue using this account to perform login attempts Usage guidelines The login attempt policy depends on the view The pol...

Page 385: ... four consecutive login failures on a user account and disable the user account if the limit is reached Sysname system view Sysname password control login attempt 4 exceed lock Use the user account test to log in to the device and enter incorrect password for four times Display the password control blacklist The output shows that the user account is on the blacklist and its status is lock Sysname ...

Page 386: ...Predefined user roles network admin Parameters aging time Specifies the super password expiration time in days in the range of 1 to 365 Examples Set the super passwords to expire after 10 days Sysname system view Sysname password control super aging 10 Related commands display password control password control aging password control super composition Use password control super composition to confi...

Page 387: ...n FIPS mode Usage guidelines The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of the super password Examples Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type Sysname system view Sysname password control super composition type number 4...

Page 388: ...n change their passwords Use undo password control update interval to restore the default Syntax password control update interval interval undo password control update interval Default The minimum password update interval is 24 hours Views System view Predefined user roles network admin Parameters interval Specifies the minimum password update interval in hours in the range of 0 to 168 0 means no ...

Page 389: ...n blacklist Y N Related commands display password control blacklist reset password control history record Use reset password control history record to delete history password records Syntax reset password control history record super role role name user name user name Views User view Predefined user roles network admin Parameters super Deletes the history records of the specified super password or...

Page 390: ...372 Sysname reset password control history record Are you sure to delete all local user s history records Y N y Related commands password control history ...

Page 391: ...cifies the end time and date end time Specifies the end time in the HH MM SS format The value range for this argument is 0 0 0 to 23 59 59 end date Specifies the end date in the MM DD YYYY or YYYY MM DD format The value range for YYYY is 2000 to 2035 Usage guidelines A key becomes a valid accept key when the following requirements are met A key string has been configured An authentication algorith...

Page 392: ...ers hmac md5 Specifies the HMAC MD5 authentication algorithm md5 Specifies the MD5 authentication algorithm Usage guidelines If an application does not support the authentication algorithm specified for a key the application cannot use the key for packet authentication Examples Specify the MD5 authentication algorithm for key 1 of the keychain abc in absolute time mode Sysname system view Sysname ...

Page 393: ...uJh3g Algorithm md5 Send lifetime 01 00 00 2015 01 22 to 01 00 00 2015 01 25 Send status Active Accept lifetime 01 00 00 2015 01 22 to 01 00 00 2015 01 27 Accept status Active Key ID 2 Key string c 3 vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g Algorithm md5 Send lifetime 01 00 01 2015 01 25 to 01 00 00 2015 01 27 Send status Inactive Accept lifetime 01 00 00 2015 01 22 to 01 00 00 2015 01 27 Accept status ...

Page 394: ...key key id undo key key id Default No keys exist Views Keychain view Predefined user roles network admin Parameters key id Specifies a key ID in the range of 0 to 281474976710655 Usage guidelines The keys in a keychain must have different key IDs Examples Create key 1 and enter its view Sysname system view Sysname keychain abc mode absolute Sysname keychain abc key 1 Sysname keychain abc key 1 key...

Page 395: ... view Sysname system view Sysname keychain abc mode absolute Sysname keychain abc key string Use key string to configure a key string for a key Use undo key string to restore the default Syntax key string cipher plain string undo key string Default No key string is configured for a key Views Key view Predefined user roles network admin Parameters cipher Specifies a key in encrypted form plain Spec...

Page 396: ... The value range for YYYY is 2000 to 2035 duration duration value Specifies the lifetime of the key in the range of 1 to 2147483646 seconds duration infinite Specifies that the key never expires after it becomes valid to Specifies the end time and date end time Specifies the end time in the HH MM SS format The value range for this argument is 0 0 0 to 23 59 59 end date Specifies the end date in th...

Page 397: ...379 Sysname keychain abc key 1 Sysname keychain abc key 1 send lifetime utc 12 30 2015 1 21 to 18 30 2015 1 21 ...

Page 398: ...sensitive string of 1 to 64 characters Valid characters are letters digits and hyphens If you do not specify a key pair this command displays the public keys of all local key pairs of the specified type Usage guidelines You can copy and distribute the public key of a local key pair to peer devices Examples Display all local RSA public keys Sysname display public key local rsa public Key name hostk...

Page 399: ...2B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381840002818041912CE34D12BCD2157E7AB1C...

Page 400: ...819795BC94CCBD3EBA7D4F0F2B2EB20C58 4D Display the public key of local RSA key pair rsa1 Sysname display public key local rsa public name rsa1 Key name rsa1 Key type RSA Time when key pair created 15 42 26 2011 05 12 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197...

Page 401: ...ir created 15 43 33 2011 05 12 Key code 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58 4D Table 42 Command output Field Description Key name Name of the local key pair If you did not specify a name when creating the key pair the default name is used followed by the word default in brackets The fo...

Page 402: ...to configure a peer host public key on the local device Examples Display detailed information about peer host public key idrsa Sysname display public key peer name idrsa Key name idrsa Key type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100C5971581A78B5388 B3C9063EC6B53D395A6704D9752B6F9B7B1F734EEB5DD509F0B050662C46FFB8D27F797E37 918F6270C5793F1FC63638970A...

Page 403: ...e key and displays an error message If the key is valid for example the key was displayed by the display public key local public command the system saves the key Examples Exit public key view and save the configured peer host public key Sysname system view Sysname public key peer key1 Enter public key view Return to system view with peer public key end command Sysname pkey public key key1 30819F30...

Page 404: ... a 192 bit ECDSA key pair The secp192r1 curve is used by default in non FIPS mode secp256r1 Uses the secp256r1 curve to create a 256 bit ECDSA key pair The secp256r1 curve is used by default in FIPS mode secp384r1 Uses the secp384r1 curve to create a 384 bit ECDSA key pair rsa Specifies the RSA key pair type name key name Assigns a name to the key pair The key name argument is a case insensitive s...

Page 405: ...tomatically saved and can survive system reboots Table 46 A comparison of different types of asymmetric key algorithms Type Generated key pairs Modulus key length RSA In non FIPS mode One host key pair if you specify a key pair name One server key pair and one host key pair if you do not specify a key pair name Both key pairs use their default names In FIPS mode One host key pair NOTE Only SSH 1 5...

Page 406: ...cdsa Generating Keys Create the key pair successfully Create a local RSA key pair named rsa1 Sysname system view Sysname public key local create rsa name rsa1 The range of public key modulus is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Create a local DSA key...

Page 407: ...bort Input the modulus length default 2048 Generating Keys Create the key pair successfully In FIPS mode create a local DSA key pair with the default name Sysname system view Sysname public key local create dsa The range of public key modulus is 2048 2048 It will take a few minutes Press CTRL C to abort Input the modulus length default 2048 Create the key pair successfully Related commands display...

Page 408: ...Guide Examples Destroy the local RSA key pairs with the default names Sysname system view Sysname public key local destroy rsa Confirm to destroy the key pair Y N y Destroy the local DSA key pair with the default name Sysname system view Sysname public key local destroy dsa Confirm to destroy the key pair Y N y Destroy the local ECDSA key pair with the default name Sysname system view Sysname publ...

Page 409: ...fore distributing it to a peer device To distribute a local DSA host public key to a peer device 1 Save the exported local host public key to a file by using one of the following methods Use the public key local export dsa name key name openssh ssh2 command to export the local host public key and then copy and paste the key to a file Use the public key local export dsa name key name openssh ssh2 f...

Page 410: ...name system view Sysname public key local export dsa name dsa1 openssh dsa1 pub Display the host public key of local DSA key pair dsa1 in SSH2 0 format Sysname system view Sysname public key local export dsa name dsa1 ssh2 BEGIN SSH2 PUBLIC KEY Comment dsa key 2011 05 12 AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9 5ra4WzTO9yzhSg06UiL CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh kiuoRCHyLDyJy5s...

Page 411: ...ice To distribute a local ECDSA host public key to a peer device 1 Save the exported ECDSA host public key to a file by using one of the following methods Use the public key local export ecdsa name key name openssh ssh2 command to export the local host public key and then copy and paste it to a file Use the public key local export ecdsa name key name openssh ssh2 filename command to export the hos...

Page 412: ...ilename Views System view Predefined user roles network admin Parameters name key name Specifies a local RSA key pair by its name a case insensitive string of 1 to 64 characters Valid characters are letters digits and hyphens If you do not specify a key pair this command exports the host public key of the local RSA key pair with the default name openssh Exports the host public key in OpenSSH forma...

Page 413: ...e system view Sysname public key local export rsa ssh2 BEGIN SSH2 PUBLIC KEY Comment rsa key 2011 05 12 AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr gTCyWZyabuCJuJjMeMPQaj kixzOCCAl hDMmEGMrSfddq b YcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr aj1k3rM XOvyvPJilneKJqhPT0xd v4tlas mLNloY0dImbwS2kwE71rgg1CQ END SSH2 PUBLIC KEY Display the host public key of the local RSA key pair with the default na...

Page 414: ...4 characters Usage guidelines After you execute this command to enter the public key view type the public key Spaces and carriage returns are allowed but are not saved To configure a peer host public key on the local device first obtain the peer public key in hexadecimal notation and then perform the following tasks on the local device 1 Execute the public key peer command to enter public key view...

Page 415: ...akey or ecdsakey and cannot start with a slash or contain and For more information about file names see Fundamentals Configuration Guide Usage guidelines Before you use this command get a copy of the public key file from the peer device through FTP or TFTP in binary mode After you configure this command the system automatically transforms the host public key to the PKCS format and saves the key In...

Page 416: ... Specifies a rule ID in the range of 1 to 16 alt subject name Specifies the alternative subject name field fqdn Specifies the FQDN attribute ip Specifies the IP address attribute dn Specifies the DN attribute issuer name Specifies the issuer name field subject name Specifies the subject name field ctn Specifies the contain operation equ Specifies the equal operation nctn Specifies the not contain ...

Page 417: ...e The DN attribute value contains the abc string A certificate matches an attribute group if it matches all attribute rules in the group Examples Create a certificate attribute group and enter its view Sysname system view Sysname pki certificate attribute group mygroup Specify an attribute rule to match certificates that contain the abc string in the subject DN Sysname pki cert attribute group myg...

Page 418: ...a Sysname pki domain aaa ca identifier new ca certificate request entity Use certificate request entity to specify the PKI entity for certificate request Use undo certificate request entity to restore the default Syntax certificate request entity entity name undo certificate request entity Default No PKI entity is specified for certificate request Views PKI domain view Predefined user roles networ...

Page 419: ...certificate request reception authority is not specified Views PKI domain view Predefined user roles network admin Parameters ca Sends certificate requests to the CA ra Sends certificate requests to the RA Usage guidelines The CA server determines whether the CA or RA accepts certificate requests This authority setting must be consistent with the setting on the CA server Examples Sends certificate...

Page 420: ...mmon name Automatically appends random data to the common name of the PKI entity for the new certificate If you do not specify this keyword the common name of the PKI entity will be unchanged in the new certificate manual Specifies the manual certificate request mode Usage guidelines A certificate request can be submitted to a CA in offline or online mode In online mode a certificate request can b...

Page 421: ...nterval undo certificate request polling count interval Default The polling interval is 20 minutes and the maximum number of attempts is 50 Views PKI domain view Predefined user roles network admin Parameters count count Specifies the maximum number of query attempts The value range is 1 to 100 interval interval Specifies a polling interval in minutes The value range is 5 to 168 Usage guidelines A...

Page 422: ...restricted by the CLI string limitation or the url string parameter whichever is smaller vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the certificate request reception authority server belongs A VPN instance name is a case sensitive string of 1 to 31 characters If the certificate request reception authority server is on the public network do not specify this option Usa...

Page 423: ...e string of 1 to 63 characters No comma can be included You can set the username of the PKI entity as the common name Examples Set the common name to test for PKI entity en Sysname system view Sysname pki entity en Sysname pki entity en common name test country Use country to set the country code of a PKI entity Use undo country to restore the default Syntax country country code string undo countr...

Page 424: ... list of revoked certificates signed and published by a CA Revoked certificates should no longer be trusted CRL checking is designed to check whether a certificate has been revoked Examples Disable CRL checking Sysname system view Sysname pki domain aaa Sysname pki domain aaa undo crl check enable Related commands pki import pki retrieve certificate pki validate certificate crl url Use crl url to ...

Page 425: ...certificate is the certificate being verified After the previous selection process if the CRL repository is not found the device obtains the CRL through SCEP In this scenario the CA certificate and the local certificates must have been obtained If an LDAP URL is specified the device must connect to the LDAP server to obtain the CRL If the LDAP URL does not contain the address of the LDAP server us...

Page 426: ...isplay pki certificate access control policy Total PKI certificate access control policies 2 Access control policy name mypolicy1 Rule 1 deny mygroup1 Rule 2 permit mygroup2 Access control policy name mypolicy2 Rule 1 deny mygroup3 Rule 2 permit mygroup4 Table 48 Command output Field Description Total PKI certificate access control policies Total number of certificate based access control policies...

Page 427: ... certificate attribute groups 2 Attribute group name mygroup1 Attribute 1 subject name dn ctn abc Attribute 2 issuer name fqdn nctn app Attribute group name mygroup2 Attribute 1 subject name dn ctn def Attribute 2 issuer name fqdn nctn fqd Table 49 Command output Field Description Total PKI certificate attribute groups Total number of certificate attribute groups ctn Contain operation nctn Not con...

Page 428: ...ks Colon Apostrophe ca Specifies the CA certificate local Specifies the local certificates peer Specifies the peer certificates serial serial num Specifies the serial number of a peer certificate Usage guidelines If you specify the CA keyword this command displays information about all CA certificates in the domain If the domain has RA certificates the RA certificates are also displayed If you spe...

Page 429: ...2b 66 5a fb Exponent 65537 0x10001 Signature Algorithm sha1WithRSAEncryption 6d b1 4e d7 ef bb 1d 67 53 67 d0 8f 7c 96 1d 2a 03 98 3b 48 41 08 a4 8f a9 c1 98 e3 ac 7d 05 54 7c 34 d5 ee 09 5a 11 e3 c8 7a ab 3b 27 d7 62 a7 bb bc 7e 12 5e 9e 4c 1c 4a 9f d7 89 ca 20 46 de c5 b3 ce 36 ca 5e 6e dc e7 c6 fe 3f c5 38 dd d5 a3 36 ad f4 3d e6 32 7f 48 df 07 f0 a2 32 89 86 72 22 cd ed e5 0f 95 df 9c 75 71 e7...

Page 430: ...tificate of OpenCA Labs X509v3 Subject Key Identifier 91 95 51 DD BF 4F 55 FA E4 C4 D0 10 C2 A1 C2 99 AF A5 CB 30 X509v3 Authority Key Identifier keyid DF D2 C9 1A 06 1F BC 61 54 39 FE 12 C4 22 64 EB 57 3B 11 9F X509v3 Subject Alternative Name email fips ccc com X509v3 Issuer Alternative Name email pki openca org Authority Information Access CA Issuers URI http titan pki pub cacert cacert crt OCSP...

Page 431: ...cate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7 Certificate Data Version 3 0x2 Serial Number 9a 03 37 eb 21 56 ba 1f 54 76 e4 d7 54 a5 a9 f7 Signature Algorithm sha1WithRSAEncryption Issuer C cn O ccc OU sec CN ssl Validity Not Before Oct 15 01 23 06 2010 GMT Not After Jul 26 06 30 54 2012 GMT Subject CN sldsslserver Subject Public Key Info Public Key Algorithm rsaEncryption Public Ke...

Page 432: ... df 72 ad 07 7d e5 16 d6 75 eb 6e 06 58 ee 76 31 63 db 96 a2 ad 83 b6 bb ba 4b 79 59 9d 59 6c 77 59 5b d9 07 33 a8 f0 a5 Related commands pki domain pki retrieve certificate display pki certificate renew status Use display pki certificate renew status to display the certificate renewal status for a PKI domain Syntax display pki certificate renew status domain domain name Views Any view Predefined ...

Page 433: ...ed for the new certificate Display the certificate renewal status for PKI domain domain1 Sysname display pki certificate renew status domain1 Domain Name domain1 Renew Time 03 12 05 2016 06 13 Renew public key Key type RSA Time when key pair created 15 40 48 2016 06 13 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9 667269BB8226E26331E30F41A8FF922C7338208097E843...

Page 434: ...bol Character name Symbol Tilde Dot Asterisk Left angle bracket Backslash Right angle bracket Vertical bar Quotation marks Colon Apostrophe Usage guidelines If you do not specify a PKI domain this command displays the certificate request status for all PKI domains Examples Display certificate request status for PKI domain aaa Sysname display pki certificate request status domain aaa Certificate Re...

Page 435: ...ignature only Encryption Encryption only Remain polling attempts Remaining number of attempts to query certificate request status Next polling attempt after Remaining seconds before the next request status polling Related commands certificate request polling pki domain pki retrieve certificate display pki crl domain Use display pki crl domain to display information about the CRL saved at the local...

Page 436: ...ey Identifier keyid 49 25 DB 07 3A C4 8A C2 B5 A0 64 A5 F1 54 93 69 14 51 11 EF Revoked Certificates Serial Number CDE626BF7A44A727B25F9CD81475C004 Revocation Date Apr 28 01 37 52 2011 GMT CRL entry extensions Invalidity Date Apr 28 01 37 49 2011 GMT Serial Number FCADFA81E1F56F43D3F2D3EF7EB56DE5 Revocation Date Apr 28 01 33 28 2011 GMT CRL entry extensions Invalidity Date Apr 28 01 33 09 2011 GMT...

Page 437: ...e algorithm and signature data Related commands pki retrieve crl fqdn Use fqdn to set the FQDN of an entity Use undo fqdn to restore the default Syntax fqdn fqdn name string undo fqdn Default No FQDN is set for a PKI entity Views PKI entity view Predefined user roles network admin Parameters fqdn name string Specifies an FQDN a case sensitive string of 1 to 255 characters in the format hostname do...

Page 438: ...gn an IP address to a PKI entity or specify an interface for the entity The interface s primary IPv4 address will be used as the IP address of the PKI entity If you specify an interface make sure the interface is assigned an IP address before the PKI entity requests a certificate Examples Assign IP address 192 168 0 2 to PKI entity en Sysname system view Sysname pki entity en Sysname pki entity en...

Page 439: ...ory URL configured for the PKI domain does not contain the IP address or host name of the LDAP server You can specify only one LDAP server for a PKI domain If you execute this command multiple times the most recent configuration takes effect Examples Specify LDAP server 10 0 0 1 for PKI domain aaa Sysname system view Sysname pki domain aaa Sysname pki domain aaa ldap server host 10 0 0 1 Specify L...

Page 440: ...ion Default No organization name is set for a PKI entity Views PKI entity view Predefined user roles network admin Parameters org name Specifies an organization name a case sensitive string of 1 to 63 characters No comma can be included Examples Set the organization name to abc for PKI entity en Sysname system view Sysname pki entity en Sysname pki entity en organization abc organization unit Use ...

Page 441: ...domain by its name a case insensitive string of 1 to 31 characters The domain name cannot contain the special characters listed in Table 57 Table 57 Special characters Character name Symbol Character name Symbol Tilde Dot Asterisk Left angle bracket Backslash Right angle bracket Vertical bar Quotation marks Colon Apostrophe Usage guidelines You can abort a certificate request and change some param...

Page 442: ...me a case insensitive string of 1 to 31 characters Usage guidelines A certificate based access control policy contains a set of access control rules that permit or deny access to the device based on the attributes in the requesting client s certificate Examples Create a certificate based access control policy named mypolicy and enter its view Sysname system view Sysname pki certificate access cont...

Page 443: ...les the system determines that the all certificates match the associated access control rule Examples Create a certificate attribute group named mygroup and enter its view Sysname system view Sysname pki certificate attribute group mygroup Sysname pki cert attribute group mygroup Related commands attribute display pki certificate attribute group rule pki delete certificate Use pki delete certifica...

Page 444: ...e pki delete certificate domain domain name peer serial serial num command Examples Remove the CA certificate in PKI domain aaa Sysname system view Sysname pki delete certificate domain aaa ca Local certificates peer certificates and CRL will also be deleted while deleting the CA certificate Confirm to delete the CA certificate Y N y Sysname Remove the local certificates in PKI domain aaa Sysname ...

Page 445: ...ers listed in Table 59 Table 59 Special characters Character name Symbol Character name Symbol Tilde Dot Asterisk Left angle bracket Backslash Right angle bracket Vertical bar Quotation marks Colon Apostrophe Usage guidelines When you remove a PKI domain the certificates and the CRL in the domain are also removed Examples Create a PKI domain named aaa and enter its view Sysname system view Sysname...

Page 446: ...m view Sysname pki entity en Sysname pki entity en Related commands pki domain pki export Use pki export to export the CA certificate and the local certificates in a PKI domain Syntax pki export domain domain name der all ca local filename filename pki export domain domain name p12 all local passphrase p12 key filename filename pki export domain domain name pem all local 3des cbc aes 128 cbc aes 1...

Page 447: ...r screen Usage guidelines When you export the CA certificate the following conditions might exist If the PKI domain has only one CA certificate this command exports the CA certificate to a file or displays it on the monitor screen If the PKI domain has a CA certificate chain this command exports the certificate chain to a file or displays it on the monitor screen When you export a local certificat...

Page 448: ...an absolute path If the specified path does not exist the export operation fails Examples Export the CA certificate in the PKI domain to a file named cert ca der in DER format Sysname system view Sysname pki export domain domain1 der ca filename cert ca der Export the local certificates in the PKI domain to a file named cert lo der in DER format Sysname system view Sysname pki export domain domain...

Page 449: ...HgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b n4v F36sJjY1fRFSr4gPLIxZhPWhTrqsCd QMELRCDNHDxvt3 1NEG12 X6BVjLcKXKH EQe0fnwK 7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whz...

Page 450: ...zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct 23zU ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn gx0 C...

Page 451: ...DMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0 bMfBduwhQWKSoYE 6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z cXK8gzDBcsobcUMkwIYPAmd1kAPX END CERTIFICATE Bag Attributes friendlyName localKeyID 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes No Attributes BEGIN ENCRYPTED PRIVATE KEY MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA MBEGBSsOAwI...

Page 452: ...1UEBhMC Y24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ0wCwYDVQQDEwRhYWNhMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P n9i9Pl7j lBx5mi4XeIldyv2OjfNx5oSQ gWY9 m1R8uv13RS05r3rxPg 7EvKBjmiy0Giddw vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL ltkmlmWoz87 jUsgFB H xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV cs...

Page 453: ...ain to a file named cert all p7b in PKCS12 format Sysname system view Sysname pki export domain domain1 p12 all passphrase 123 filename cert all p7b Related commands pki domain pki import Use pki import to import the CA certificate local certificates or peer certificates for a PKI domain Syntax pki import domain domain name der ca local peer filename filename p12 local filename filename pem ca loc...

Page 454: ... peer certificates contain the CA certificate chain you can import the CA certificate and the local or peer certificates at the same time If the CA certificate already exists in a PKI domain the system prompts you whether to overwrite the existing CA certificate If the local or peer certificates do not contain the CA certificate chain but the CA certificate already exists in a PKI domain you can d...

Page 455: ...filename rootca_pem cer The trusted CA s finger print is MD5 fingerprint FFFF 3EFF FFFF 37FF FFFF 137B FFFF 7535 SHA1 fingerprint FFFF FF7F FF2B FFFF 7618 FF4C FFFF 0A7D FFFF FF69 Is the finger print correct Y N y Sysname Import CA certificate file aca_pem cer in PEM format to PKI domain bbb The certificate file does not contain the root certificate Sysname system view Sysname pki import domain bb...

Page 456: ...wwCgYD VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP N3aTKV7NDndIOk0PpiikYPgxVih geMXR3iYaANbcvRX07 FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH BAQDAgP4MBEGCWCG SAG...

Page 457: ...racters include a to z A to Z 0 to 9 and hyphens Please enter the key pair name default name bbb The key pair already exists Please enter the key pair name import key Related commands display pki certificate public key dsa public key ecdsa public key rsa pki request certificate Use pki request certificate to submit a local certificate request or generate a certificate request in PKCS 10 format Syn...

Page 458: ... absolute path If the specified path does exist the request information cannot be saved This command is not saved in the configuration file Examples Display information about the certificate request in PKCS 10 format Sysname system view Sysname pki request certificate domain aaa pkcs10 Request for general certificate BEGIN NEW CERTIFICATE REQUEST MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0...

Page 459: ... the CA certificate again You can obtain local certificates or peer certificates through the LDAP protocol If a PKI domain already has local certificates or peer certificates you can still perform the obtain operation and the obtained local certificates or peer certificates overwrite the existing ones If RSA is used a PKI domain can have two local certificates one for signing and the other for enc...

Page 460: ...tation marks Colon Apostrophe Usage guidelines CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain To obtain CRLs a PKI domain must have the correct CA certificate The URL of the CRL repository is specified by using the crl url command The device can obtain CRLs from the CRL repository through the HTTP LDAP or SCEP protocol Which protocol is use...

Page 461: ...he first time Views System view Predefined user roles network admin Parameters certificates Specifies a storage path for certificates crls Specifies a storage path for CRLs dir path Specifies a storage path a case sensitive string which cannot start with a slash or contain two dots plus a slash The dir path argument specifies an absolute path or a relative path and the path must exist Usage guidel...

Page 462: ...ks Colon Apostrophe ca Specifies the CA certificate local Specifies the local certificates Usage guidelines Generally certificates are automatically verified when you request obtain or import them or when an application uses PKI You can also use this command to manually verify a certificate in the following aspects Whether the certificate is issued by a trusted CA Whether the certificate has expir...

Page 463: ... C cn O abc OU test CN aca Verify result OK Verifying certificates Serial Number 5c 72 dc c4 a5 43 cd f9 32 b9 c1 90 8f dd 50 f6 Issuer C cn O ccc OU ppp CN rootca Subject C cn O ccc OU ppp CN rootca Verify result OK Verify the local certificates in PKI domain aaa Sysname system view Sysname pki validate certificate domain aaa local Verifying certificates Serial Number bc 05 70 1f 0e da 0d 10 16 1...

Page 464: ...nd to generate a key pair An application like IKE using digital signature authentication triggers the device to generate a key pair Use the pki import command to import a certificate containing a key pair A PKI domain can have key pairs using only one type of cryptographic algorithm DSA ECDSA or RSA If DSA or ECDSA is used a PKI domain can have only one key pair If you configure a DSA or ECDSA key...

Page 465: ...fined user roles network admin Parameters name key name Specifies a key pair by its name a case insensitive string of 1 to 64 characters The key pair name can contain only letters digits and hyphens secp192r1 Uses the secp192r1 curve to generate the key pair The secp192r1 curve is used by default in non FIPS mode secp256r1 Uses the secp256r1 curve to generate the key pair The secp256r1 curve is us...

Page 466: ...384 bit ECDSA key pair abc for certificate request in PKI domain aaa Sysname system view Sysname pki domain aaa Sysname pki domain aaa public key ecdsa name abc secp384r1 Related commands pki import public key local create see Security Command Reference public key rsa Use public key rsa to specify an RSA key pair for certificate request Use undo public key to restore the default Syntax public key ...

Page 467: ... RSA signing key pair or RSA encryption key pair multiple times the most recent configuration takes effect The RSA signing key pair and encryption key pair do not overwrite each other If you specify a signing key pair and an encryption key pair separately their key length can be different The length key length option takes effect only if you specify a nonexistent key pair The device will automatic...

Page 468: ...certificate with the one configured in the PKI domain If the two fingerprints do not match or no fingerprint is configured in the PKI domain the device rejects the CA certificate and the local certificate request fails The fingerprint configured by this command is also used for CA certificate verification when the device performs the following operations Imports the CA certificate as requested by ...

Page 469: ...group by its name a case insensitive string of 1 to 31 characters Usage guidelines When you create an access control rule you can associate it with a nonexistent certificate attribute group The system determines that a certificate matches an access control rule when either of the following conditions exists The associated certificate attribute group does not exist The associated certificate attrib...

Page 470: ...face by its type and number The interface s primary IP address will be used as the source IP address for PKI protocol packets Usage guidelines Use this command to specify the source IP address for PKI protocol packets You can also specify a source interface if the IP address is dynamically obtained Make sure there is a route between the source IP address and the CA server You can specify only one ...

Page 471: ...lt No state name or province name is set for a PKI entity Views PKI entity view Predefined user roles network admin Parameters state name Specifies a state or province by its name a case sensitive string of 1 to 63 characters No comma can be included Examples Set the state name to countryA for PKI entity en Sysname system view Sysname pki entity en Sysname pki entity en state countryA subject dn U...

Page 472: ...he following commands do not take effect common name country locality organization organization unit state If you configure this command multiple times the most recent configuration takes effect Examples Configure the DN for PKI entity en Sysname system view Sysname pki entity en Sysname pki entity en subject dn CN test C CN O abc OU rdtest OU rstest ST countryA L pukras Related commands common na...

Page 473: ... the SSL client can use the certificates ssl server Specifies the SSL server certificate extension so the SSL server can use the certificates Usage guidelines If you do not specify any keywords for the undo usage command this command removes all certificate extensions The extension options contained in a certificate depends on the CA policy and might be different from those specified in the PKI do...

Page 474: ...MAC AES XCBC MAC algorithm which uses a 128 bit key md5 Uses the HMAC MD5 algorithm which uses a 128 bit key sha1 Uses the HMAC SHA1 algorithm which uses a 160 bit key sha256 Uses the HMAC SHA256 algorithm which uses a 256 bit key sha384 Uses the HMAC SHA384 algorithm which uses a 384 bit key sha512 Uses the HMAC SHA512 algorithm which uses a 512 bit key Usage guidelines In non FIPS mode you can s...

Page 475: ...Psec policy templates or IPsec profiles to distinguish them Examples Configure the description for IPsec policy 1 as CenterToA Sysname system view Sysname ipsec policy policy1 1 isakmp Sysname ipsec policy isakmp policy1 1 description CenterToA display ipsec ipv6 policy policy Use display ipsec ipv6 policy policy to display information about IPsec policies Syntax display ipsec ipv6 policy policy p...

Page 476: ...formation about all IPv4 IPsec policies Sysname display ipsec policy IPsec Policy mypolicy Sequence number 1 Mode Manual The policy configuration is incomplete ACL not specified Incomplete transform set configuration Description This is my first IPv4 manual policy Security data flow Remote address 2 5 2 1 Transform set transform Inbound AH setting AH SPI 1200 0x000004b0 AH string key AH authentica...

Page 477: ...SA duration time based SA duration traffic based SA idle time IPsec Policy mycompletepolicy Interface LoopBack2 Sequence number 1 Mode Manual Description This is my complete policy Security data flow 3100 Remote address 2 2 2 2 Transform set completetransform Inbound AH setting AH SPI 5000 0x00001388 AH string key AH authentication hex key Inbound ESP setting ESP SPI 7000 0x00001b58 ESP string key...

Page 478: ...form IKE profile IKEv2 profile SA duration time based SA duration traffic based SA idle time Display information about all IPv6 IPsec policies Sysname display ipsec ipv6 policy IPsec Policy mypolicy Sequence number 1 Mode Manual Description This is my first IPv6 policy Security data flow 3600 Remote address 1000 2 Transform set mytransform Inbound AH setting AH SPI 1235 0x000004d3 AH string key AH...

Page 479: ...tatements The IPsec transform set configuration is not complete The peer IP address of the IPsec tunnel is not specified The SPI and key of the IPsec SA do not match those in the IPsec policy Description Description of the IPsec policy Traffic Flow Confidentiality Whether Traffic Flow Confidentiality TFC padding is enabled Security data flow ACL used by the IPsec policy Selector mode Data flow pro...

Page 480: ...lay ipsec ipv6 policy template policy template Use display ipsec ipv6 policy template policy template to display information about IPsec policy templates Syntax display ipsec ipv6 policy template policy template template name seq number Views Any view Predefined user roles network admin network operator Parameters ipv6 policy template Displays information about IPv6 IPsec policy templates policy t...

Page 481: ... local duration traffic based 1843200 kilobytes SA idle time Display information about all IPv6 IPsec policy templates Sysname display ipsec ipv6 policy template IPsec Policy Template template6 Sequence number 1 Description This is policy template Traffic Flow Confidentiality Disabled Security data flow Selector mode standard Local address IKE profile IKEv2 profile Remote address 200 1 64 Transfor...

Page 482: ...rm set used by the IPsec policy template IPsec SA local duration time based Time based IPsec SA lifetime in seconds IPsec SA local duration traffic based Traffic based IPsec SA lifetime in kilobytes SA idle time Idle timeout of the IPsec SA in seconds Related commands ipsec ipv6 policy policy isakmp template display ipsec profile Use display ipsec profile to display information about IPsec profile...

Page 483: ...uthentication hex key Table 68 Command output Field Description IPsec profile IPsec profile name Mode Negotiation mode used by the IPsec profile manual or IKE Description Description of the IPsec profile Transform set IPsec transform set used by the IPsec profile Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs Syntax display ipsec sa brie...

Page 484: ...its remote end IPv6 address If this keyword is not specified the specified remote end IP address is an IPv4 address Usage guidelines If you do not specify any parameters this command displays detailed information about all IPsec SAs Examples Display brief information about IPsec SAs Sysname display ipsec sa brief Interface Global Dst Address SPI Protocol Status GE1 0 1 10 1 1 1 400 ESP Active GE1 ...

Page 485: ...68 1 0 255 255 255 0 port 0 protocol ip Inbound ESP SAs SPI 3564837569 0xd47b1ac1 Connection ID 1 Transform set ESP ENCRYPT AES CBC 128 ESP AUTH SHA1 SA duration kilobytes sec 4294967295 604800 SA remaining duration kilobytes sec 1843200 2686 Max received sequence number 5 Anti replay check enable Y Anti replay window size 32 UDP encapsulation used for NAT traversal N Status Active Outbound ESP SA...

Page 486: ...policy Manual ISAKMP Template GDOI Tunnel id IPsec tunnel ID Encapsulation mode Encapsulation mode transport or tunnel Perfect Forward Secrecy Perfect Forward Secrecy PFS used by the IPsec policy for negotiation 768 bit Diffie Hellman group dh group1 1024 bit Diffie Hellman group dh group2 1536 bit Diffie Hellman group dh group5 2048 bit Diffie Hellman group dh group14 2048 bit and 256_bit subgrou...

Page 487: ...nection ID Identifier of the IPsec SA Transform set Security protocol and algorithms used by the IPsec transform set SA duration kilobytes sec IPsec SA lifetime in kilobytes or seconds SA remaining duration kilobytes sec Remaining IPsec SA lifetime in kilobytes or seconds Max received sequence number Max sequence number in the received packets Max sent sequence number Max sequence number in the se...

Page 488: ...ec packets Examples Display statistics for all IPsec packets Sysname display ipsec statistics IPsec packet statistics Received sent packets 47 64 Received sent bytes 3948 5208 Dropped packets received sent 0 45 Dropped packets statistics No available SA 0 Wrong SA 0 Invalid length 0 Authentication failure 0 Encapsulation failure 0 Decapsulation failure 0 Replayed packets 0 ACL check failure 45 MTU...

Page 489: ...lid packet length Authentication failure Number of packets dropped due to authentication failure Encapsulation failure Number of packets dropped due to encapsulation failure Decapsulation failure Number of packets dropped due to decapsulation failure Replayed packets Number of dropped replayed packets ACL check failure Number of packets dropped due to ACL check failure MTU check failure Number of ...

Page 490: ...able 72 Command output Field Description IPsec transform set Name of the IPsec transform set State Whether the IPsec transform set is complete Encapsulation mode Encapsulation mode used by the IPsec transform set transport or tunnel ESN Whether Extended Sequence Number ESN is enabled PFS Perfect Forward Secrecy PFS used by the IPsec policy for negotiation 768 bit Diffie Hellman group dh group1 102...

Page 491: ...the tunnel id argument is 0 to 4294967295 Usage guidelines IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints such as two security gateways Such a secure channel is usually called an IPsec tunnel Examples Display brief information about all IPsec tunnels Sysname display ipsec tunnel brief Tunn id Src Address Dst Address Inbound SPI Outbound ...

Page 492: ...ec tunnels Sysname display ipsec tunnel count Total IPsec Tunnel Count 2 Display detailed information about all IPsec tunnels Sysname display ipsec tunnel Tunnel ID 0 Status active Perfect forward secrecy SA s SPI outbound 2000 0x000007d0 AH inbound 1000 0x000003e8 AH outbound 4000 0x00000fa0 ESP inbound 3000 0x00000bb8 ESP Tunnel local address remote address Flow Tunnel ID 1 Status Active Perfect...

Page 493: ...bit subgroup Diffie Hellman group dh group24 256 bit ECP Diffie Hellman group dh group19 384 bit ECP Diffie Hellman group dh group20 SA s SPI SPIs of the inbound and outbound SAs Tunnel Local and remote addresses of the IPsec tunnel local address Local end IP address of the IPsec tunnel remote address Remote end IP address of the IPsec tunnel Flow Information about the data flow protected by the I...

Page 494: ...headers The calculated security protocol headers and the encrypted data only for ESP encapsulation are encapsulated in a new IP packet In this mode the encapsulated packet has two IP headers The inner IP header is the original IP header The outer IP header is added by the network device that provides the IPsec service You must use the tunnel mode when the secured transmission start and end points ...

Page 495: ...Enable the ESN feature in the IPsec transform set tran1 Sysname system view Sysname ipsec transform set tran1 Sysname ipsec transform set tran1 esn enable Related commands display ipsec transform set esp authentication algorithm Use esp authentication algorithm to specify authentication algorithms for ESP Use undo esp authentication algorithm to restore the default Syntax In non FIPS mode esp auth...

Page 496: ...tem view Sysname ipsec transform set tran1 Sysname ipsec transform set tran1 esp authentication algorithm sha1 Related commands ipsec transform set esp encryption algorithm Use esp encryption algorithm to specify encryption algorithms for ESP Use undo esp encryption algorithm to restore the default Syntax In non FIPS mode esp encryption algorithm 3des cbc aes cbc 128 aes cbc 192 aes cbc 256 aes ct...

Page 497: ...ble only for IKEv2 gcm 128 Uses the GCM algorithm which uses a 128 bit key This keyword is available only for IKEv2 gcm 192 Uses the GCM algorithm which uses a 192 bit key This keyword is available only for IKEv2 gcm 256 Uses the GCM algorithm which uses a 256 bit key This keyword is available only for IKEv2 null Uses the NULL algorithm which means encryption is not performed Usage guidelines You ...

Page 498: ... to 63 characters Usage guidelines The IKE profile specified for an IPsec policy IPsec policy template or IPsec profile defines the parameters used for IKE negotiation You can specify only one IKE profile for an IPsec policy IPsec policy template or IPsec profile Examples Specify the IKE profile profile1 for the IPsec policy policy1 Sysname system view Sysname ipsec policy policy1 10 isakmp Sysnam...

Page 499: ...play ipsec ipv6 policy display ipsec policy ikev2 profile ipsec anti replay check Use ipsec anti replay check to enable IPsec anti replay checking Use undo ipsec anti replay check to disable IPsec anti replay checking Syntax ipsec anti replay check undo ipsec anti replay check Default IPsec anti replay checking is enabled Views System view Predefined user roles network admin Usage guidelines IPsec...

Page 500: ...edefined user roles network admin Parameters width Specifies the size for the anti replay window It can be 64 128 256 512 or 1024 packets Usage guidelines Changing the anti replay window size affects only the IPsec SAs negotiated later Service data packets might be received in a very different order than their original order and the IPsec anti replay feature might drop them as replayed packets aff...

Page 501: ...applied to multiple interfaces A manual IPsec policy can be applied to only one interface Examples Apply the IPsec policy policy1 to interface GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 ipsec apply policy policy1 Related commands display ipsec ipv6 policy policy ipsec ipv6 policy policy ipsec decrypt check enable Use ipsec decrypt...

Page 502: ...er IPsec packets can be fragmented copy Copies the DF bit setting of the original IP header to the outer IP header set Sets the DF bit in the outer IP header IPsec packets cannot be fragmented Usage guidelines This command is effective only when the IPsec encapsulation mode is tunnel mode It is not effective in transport mode because the outer IP header is not added in transport mode This command ...

Page 503: ...tion If the encapsulated packet size exceeds the MTU of the output interface the device fragments the packets before encapsulation If a packet s DF bit is set the device drops the packet and sends an ICMP error message If you configure the device to fragment packets after IPsec encapsulation the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service m...

Page 504: ...re the path MTU is larger than the IPsec packet size As a best practice clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size Examples Set the DF bit in the outer IP header of IPsec packets on all interfaces Sysname system view Sysname ipsec global df bit set Related commands ipsec df bit ipsec limit max tunnel Use ipsec limit max tunnel to set the maximum numb...

Page 505: ...on is disabled Views System view Predefined user roles network admin Usage guidelines This command enables the device to output logs for the IPsec negotiation process This command is available only in non FIPS mode Examples Enable logging for IPsec negotiation Sysname system view Sysname ipsec logging negotiation enable ipsec logging packet enable Use ipsec logging packet enable to enable logging ...

Page 506: ...Specifies an IPv6 IPsec policy policy Specifies an IPv4 IPsec policy policy name Specifies a name for the IPsec policy a case insensitive string of 1 to 63 characters seq number Specifies a sequence number for the IPsec policy entry in the range of 1 to 65535 gdoi Establishes IPsec SAs through GDOI isakmp Establishes IPsec SAs through IKE negotiation manual Establishes IPsec SAs manually Usage gui...

Page 507: ...ipv6 policy policy ipsec apply ipsec ipv6 policy policy isakmp template Use ipsec ipv6 policy policy isakmp template to create an IKE based IPsec policy entry by using an IPsec policy template Use undo ipsec ipv6 policy policy to delete the specified IPsec policy Syntax ipsec ipv6 policy policy policy name seq number isakmp template template name undo ipsec ipv6 policy policy policy name seq numbe...

Page 508: ...olicy local address to remove the binding between an IPsec policy and a source interface Syntax ipsec ipv6 policy policy policy name local address interface type interface number undo ipsec ipv6 policy policy policy name local address Default No IPsec policy is bound to a source interface Views System view Predefined user roles network admin Parameters ipv6 policy Specifies an IPv6 IPsec policy po...

Page 509: ... policy template to create an IPsec policy template entry and enter its view or enter the view of an existing IPsec policy template entry Use undo ipsec ipv6 policy template policy template to delete the specified IPsec policy template Syntax ipsec ipv6 policy template policy template template name seq number undo ipsec ipv6 policy template policy template template name seq number Default No IPsec...

Page 510: ...ete the specified IPsec profile Syntax ipsec profile profile name manual isakmp undo ipsec profile profile name Default No IPsec profiles exist Views System view Predefined user roles network admin Parameters profile name Specifies a name for the IPsec profile a case insensitive string of 1 to 63 characters manual Specifies the IPsec SA setup mode as manual isakmp Specifies the IPsec SA setup mode...

Page 511: ...iews System view Predefined user roles network admin Usage guidelines With IPsec redundancy enabled the system synchronizes the following information from the active device to the standby device at configurable intervals Lower bound values of the IPsec anti replay window for inbound packets IPsec anti replay sequence numbers for outbound packets The synchronization ensures uninterrupted IPsec traf...

Page 512: ...iew or IPsec policy template view over the global IPsec SA lifetimes When IKE negotiates IPsec SAs it uses the local lifetime settings or those proposed by the peer whichever are smaller An IPsec SA can have both a time based lifetime and a traffic based lifetime The IPsec SA expires when either lifetime expires Before the IPsec SA expires IKE negotiates a new IPsec SA which takes over immediately...

Page 513: ...a idle time 600 Related commands display ipsec sa sa idle time ipsec transform set Use ipsec transform set to create an IPsec transform set and enter its view or enter the view of an existing IPsec transform set Use undo ipsec transform set to delete an IPsec transform set Syntax ipsec transform set transform set name undo ipsec transform set transform set name Default No IPsec transform sets exis...

Page 514: ...l IPv6 address Views IPsec policy view IPsec policy template view Predefined user roles network admin Parameters ipv4 address Specifies the local IPv4 address for the IPsec tunnel ipv6 ipv6 address Specifies the local IPv6 address for the IPsec tunnel Usage guidelines The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder In a ...

Page 515: ...d is available only for IKEv2 Usage guidelines In terms of security and necessary calculation time the following groups are in descending order 384 bit ECP Diffie Hellman group dh group20 256 bit ECP Diffie Hellman group dh group19 2048 bit and 256 bit subgroup Diffie Hellman group dh group24 2048 bit Diffie Hellman group dh group14 1536 bit Diffie Hellman group dh group5 1024 bit Diffie Hellman g...

Page 516: ...the AH protocol for the IPsec transform set Sysname system view Sysname ipsec transform set tran1 Sysname ipsec transform set tran1 protocol ah qos pre classify Use qos pre classify to enable the QoS pre classify feature Use undo qos pre classify to disable the QoS pre classify feature Syntax qos pre classify undo qos pre classify Default The QoS pre classify feature is disabled QoS uses the new I...

Page 517: ... value of the IPsec anti replay window to the standby device This interval is expressed in the number of received packets in the range of 0 to 1000 If you set the value to 0 the lower bound value of the anti replay window will not be synchronized outbound outbound interval Specifies the interval at which the active device synchronizes the IPsec anti replay sequence number to the standby device Thi...

Page 518: ... responder if the responder uses an IPsec policy template A manual IPsec policy does not support DNS Therefore you must specify a remote IP address rather than a remote host name for the manual IPsec policy If you configure a remote host name make sure the local end can always resolve the host name into the latest IP address of the remote end If a DNS server is used for resolution the local end qu...

Page 519: ...user roles network admin Parameters ipv6 policy policy policy name seq number Clears IPsec SAs for the specified IPsec policy ipv6 policy Specifies an IPv6 IPsec policy policy Specifies an IPv4 IPsec policy policy name Specifies the name of the IPsec policy a case insensitive string of 1 to 63 characters seq number Specifies the sequence number of an IPsec policy entry in the range of 1 to 65535 I...

Page 520: ... is cleared the system automatically creates a new SA based on the parameters of the IPsec policy After IKE negotiated SAs are cleared the system creates new SAs only when IKE negotiation is triggered by packets Examples Clear all IPsec SAs Sysname reset ipsec sa Clear the inbound and outbound IPsec SAs for the triplet of SPI 256 remote IP address 10 1 1 2 and security protocol AH Sysname reset ip...

Page 521: ...an IPsec policy the device deletes all IPsec SAs that are created according to this IPsec policy Upon IPsec SAs are renegotiated the static routes are created When you disable IPsec RRI for an IPsec policy the device deletes all IPsec SAs that are created according to this IPsec policy and the associated static routes To display the static routes created by RRI use the display ip routing table com...

Page 522: ...e represents a higher preference Usage guidelines When you change this preference in an IPsec policy the device deletes all IPsec SAs created according to this IPsec policy and the associated static routes Examples Change the preference to 100 for static routes created by IPsec RRI Sysname system view Sysname ipsec policy 1 1 isakmp Sysname ipsec policy isakmp 1 1 reverse route preference 100 Rela...

Page 523: ... 1 1 isakmp Sysname ipsec policy isakmp 1 1 reverse route tag 50 Related commands ipsec policy ipsec policy template sa duration Use sa duration to set an SA lifetime Use undo sa duration to remove the SA lifetime Syntax sa duration time based seconds traffic based kilobytes undo sa duration time based traffic based Default The SA lifetime of an IPsec policy IPsec policy template or IPsec profile ...

Page 524: ...s after transmitting 20480 kilobytes Sysname system view Sysname ipsec policy policy1 100 isakmp Sysname ipsec policy isakmp policy1 100 sa duration traffic based 20480 Related commands display ipsec sa ipsec sa global duration sa hex key authentication Use sa hex key authentication to configure a hexadecimal authentication key for manual IPsec SAs Use undo sa hex key authentication to remove the ...

Page 525: ...ame format either in hexadecimal or character format Otherwise they cannot establish an IPsec tunnel Examples Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH Sysname system view Sysname ipsec policy policy1 100 manual Sysname ipsec policy manual policy1 100 sa hex key authentication inbou...

Page 526: ...ncryption key as the remote inbound SA In an IPsec profile to be applied to an IPv6 routing protocol the local encryption keys of the inbound and outbound SAs must be identical If you execute this command multiple times the most recent configuration takes effect The keys for the IPsec SAs at the two tunnel ends must be configured in the same format either in hexadecimal or character format Otherwi...

Page 527: ...ommand takes precedence over the global IPsec SA timeout configured by the ipsec sa idle time command If the IPsec policy IPsec policy template or IPsec profile is not configured with the SA idle timeout IKE uses the global SA idle timeout Examples Set the IPsec SA idle timeout to 600 seconds for the IPsec policy map Sysname system view Sysname ipsec policy map 100 isakmp Sysname ipsec policy isak...

Page 528: ...e local inbound and outbound SAs must use the same SPI The IPsec SAs on the devices in the same scope must have the same SPI The scope is defined by protocols For OSPF the scope consists of OSPF neighbors or an OSPF area For RIPng the scope consists of directly connected neighbors or a RIPng process For BGP the scope consists of BGP peers or a BGP peer group Examples Set the SPI for the inbound SA...

Page 529: ...or the IPsec SAs at the two tunnel ends must be input in the same format either in hexadecimal or character format Otherwise they cannot establish an IPsec tunnel When you configure an IPsec policy or IPsec profile for an IPv6 protocol follow these guidelines The local inbound and outbound SAs must use the same key The IPsec SAs on the devices in the same scope must have the same key The scope is ...

Page 530: ...ne data flow The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it The standard mode is used if you do not specify the aggregation or the per host mode Aggregation mode One IPsec tunnel protects all data flows permitted by all the rules of an ACL This mode is only used to communicate with old version devices Per host mode One IPsec tunnel protect...

Page 531: ...ntax snmp agent trap enable ipsec auth failure decrypt failure encrypt failure global invalid sa failure no sa failure policy add policy attach policy delete policy detach tunnel start tunnel stop undo snmp agent trap enable ipsec auth failure decrypt failure encrypt failure global invalid sa failure no sa failure policy add policy attach policy delete policy detach tunnel start tunnel stop Defaul...

Page 532: ... Sysname system view Sysname snmp agent trap enable ipsec global Enable SNMP notifications for events of creating IPsec tunnels Sysname snmp agent trap enable ipsec tunnel start tfc enable Use tfc enable to enable Traffic Flow Confidentiality TFC padding Use undo tfc enable to disable the TFC padding feature Syntax tfc enable undo tfc enable Default TFC padding is disabled Views IPsec policy view ...

Page 533: ...es You can specify only one IPsec transform set for a manual IPsec policy If you execute this command multiple times the most recent configuration takes effect You can specify a maximum of six IPsec transform sets for an IKE based IPsec policy During an IKE negotiation IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel If no match is found no SA can be set up ...

Page 534: ...ng of 1 to 63 characters The specified IPsec profile must be an IKE based IPsec profile Usage guidelines IKE based IPsec profiles can be applied only to ADVPN tunnel interfaces After an IPsec profile is applied to a tunnel interface the peers negotiate an IPsec tunnel through IKE to protect data transmitted through the tunnel interface Examples Apply IPsec profile prf1 to tunnel interface Tunnel 1...

Page 535: ...ht angle bracket or an at sign The name cannot be d de def defa defau defaul default i if if if u if un if unk if unkn if unkno if unknow or if unknown username user name Specifies the username used for requesting authorization attributes The username is a case sensitive string of 1 to 55 characters and must meet the following requirements The username cannot contain the domain name The username c...

Page 536: ... sha512 undo authentication algorithm Default In non FIPS mode the IKE proposal uses the HMAC SHA1 authentication algorithm In FIPS mode the IKE proposal uses the HMAC SHA256 authentication algorithm Views IKE proposal view Predefined user roles network admin Parameters md5 Specifies HMAC MD5 as the authentication algorithm sha Specifies HMAC SHA1 as the authentication algorithm sha256 Specifies H...

Page 537: ...ovides higher security and it is usually deployed in a large scale network such as a network with many branches In a network with many branches using pre shared key authentication requires the headquarters to configure a pre shared key for each branch Using signature authentication only requires the headquarters to configure one PKI domain Authentication methods configured on both IKE ends must ma...

Page 538: ...ed for the PKI domain the initiator automatically obtains the CA certificate If the IKE profile has no PKI domain you must manually obtain the CA certificate On the responder If main mode is used in IKE phase 1 the responder does not automatically obtain the CA certificate You must manually obtain the CA certificate If aggressive mode is used in IKE phase 1 the responder automatically obtains the ...

Page 539: ...E negotiation the IPsec gateway uses a RADIUS server to authenticate the remote users Remote users who provide the correct username and password pass the authentication and continue with the negotiation This feature simplifies the configuration on the IPsec gateway and ensures the validity of the remote users If you do not use this feature you must configure an IPsec policy and an authentication p...

Page 540: ...y negotiation in IKE phase 1 Use undo dh to restore the default Syntax In non FIPS mode dh group1 group14 group2 group24 group5 undo dh In FIPS mode dh group14 undo dh Default In non FIPS mode group1 the 768 bit Diffie Hellman group is used In FIPS mode group14 the 2048 bit Diffie Hellman group is used Views IKE proposal view Predefined user roles network admin Parameters group1 Uses the 768 bit D...

Page 541: ...x display ike proposal Views Any view Predefined user roles network admin network operator Usage guidelines This command displays the configuration information about all IKE proposals in descending order of proposal priorities If no IKE proposal is configured this command displays the default IKE proposal Examples Display the configuration information about all IKE proposals Sysname display ike pr...

Page 542: ...ut IKE SAs Syntax display ike sa verbose connection id connection id remote address ipv6 remote address vpn instance vpn instance name Views Any view Predefined user roles network admin network operator Parameters verbose Displays detailed information connection id connection id Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000 remote address Displays det...

Page 543: ...it is about to expire and will be deleted soon RK REKEY The SA is a Rekey SA Unknown The SA status is unknown DOI Interpretation domain to which the SA belongs IPSEC The SA belongs to an IPsec DOI Group The SA belongs to a GDOI Display detailed information about all IKE SAs Sysname display ike sa verbose Connection ID 2 Outside VPN 1 Inside VPN 1 Profile prof1 Transmitting entity Initiator Local I...

Page 544: ...ithm AES CBC 128 Life duration sec 86400 Remaining key duration sec 86379 Exchange mode Main Diffie Hellman group Group 1 NAT traversal Not detected Extend authentication Enabled Assigned IP address 192 168 2 1 Table 77 Command output Field Description Connection ID Identifier of the IKE SA Outside VPN VPN instance name of the MPLS L3VPN to which the receiving interface belongs Inside VPN VPN inst...

Page 545: ...C mode AES CBC 256 256 bit AES algorithm in CBC mode DES CBC 56 bit DES algorithm in CBC mode Life duration sec Lifetime of the IKE SA in seconds Remaining key duration sec Remaining lifetime of the IKE SA in seconds Exchange mode IKE negotiation mode in phase 1 main mode or aggressive mode Diffie Hellman group DH group used for key negotiation in IKE phase 1 NAT traversal Whether a NAT gateway is...

Page 546: ... authority 0 Invalid signature 0 Unsupported exchage type 0 No available SA 1 Retransmit timeout 0 Not enough memory 0 Enqueue fails 0 Related commands reset ike statistics dpd Use dpd to configure IKE DPD Use undo dpd to disable IKE DPD Syntax dpd interval interval retry seconds on demand periodic undo dpd interval Default IKE DPD is disabled Views IKE profile view Predefined user roles network a...

Page 547: ...e DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond Sysname system view Sysname ike profile 1 Sysname ike profile 1 dpd interval 10 retry 5 on demand Related commands ike dpd encryption algorithm Use encryption algorithm to specify an encryption algorithm for an IKE proposal Use undo encryption algorithm to restore the default Syntax In non FIPS ...

Page 548: ...ds display ike proposal exchange mode Use exchange mode to select an IKE negotiation mode for phase 1 Use undo exchange mode to restore the default Syntax In non FIPS mode exchange mode aggressive main undo exchange mode In FIPS mode exchange mode main undo exchange mode Default Main mode is used for phase 1 Views IKE profile view Predefined user roles network admin Parameters aggressive Specifies...

Page 549: ...rt ipv4 address argument specifies the start IPv4 address The end ipv4 address argument specifies the end IPv4 address mask Specifies the IPv4 address mask mask length Specifies the length of the IPv4 address mask Usage guidelines An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses To modify or delete an address pool you must delete all IKE SAs and IPsec SAs Otherwise the assigne...

Page 550: ...ractice use the on demand mode when the device communicates with a large number of IKE peers For an earlier detection of dead peers use the periodical triggering mode which consumes more bandwidth and CPU When DPD settings are configured in both IKE profile view and system view the DPD settings in IKE profile view apply If DPD is not configured in IKE profile view the DPD settings in system view a...

Page 551: ...ns The local identity set by the local identity command for an IKE profile can be used only for IKE SA negotiations that use the IKE profile If the local authentication method is signature authentication you can set an identity of any type If the local authentication method is pre shared key authentication you cannot set the DN as the identity The ike signature identity from certificate command se...

Page 552: ...PI invalid notification can be sent Upon receiving the notification the originating peer deletes the IPsec SA that has the invalid SPI If the originator has data to send new SAs will be set up Use caution when you enable the invalid SPI recovery feature because using this feature can result in a DoS attack Attackers can make a great number of invalid SPI notifications to the same peer Examples Ena...

Page 553: ...ws System view Predefined user roles network admin Parameters seconds Specifies the number of seconds between IKE keepalives The value range for this argument is 20 to 28800 Usage guidelines If the local end receives no keepalive packets from the peer during the timeout time the IKE SA is deleted along with the IPsec SAs it negotiated The keepalive timeout time configured at the local end must be ...

Page 554: ...1 characters To create an IKE keychain for the public network do not specify this option Usage guidelines To use pre shared key authentication you must create and specify an IKE keychain for the IKE profile Examples Create the IKE keychain key1 and enter its view Sysname system view Sysname ike keychain key1 Sysname ike keychain key1 Related commands authentication method pre shared key ike limit ...

Page 555: ...f the device s memory space without affecting other applications in the system Examples Set the maximum number of half open IKE SAs and IPsec SAs to 200 Sysname system view Sysname ike limit max negotiating sa 200 Set the maximum number of established IKE SAs to 5000 Sysname system view Sysname ike limit max sa 5000 ike logging negotiation enable Use ike logging negotiation enable to enable loggin...

Page 556: ... peer to keep the NAT session alive so that the peer can access the device The NAT keepalive interval must be shorter than the NAT session lifetime For information about how to display the lifetime of NAT sessions see Layer 3 IP Services Command Reference Examples Set the NAT keepalive interval to 5 seconds Sysname system view Sysname ike nat keepalive 5 ike profile Use ike profile to create an IK...

Page 557: ...pecifies an IKE proposal number in the range of 1 to 65535 The lower the number the higher the priority of the IKE proposal Usage guidelines During IKE negotiation The initiator sends its IKE proposals to the peer If the initiator is using an IPsec policy with an IKE profile the initiator sends all IKE proposals specified for the IKE profile to the peer An IKE proposal specified earlier for the IK...

Page 558: ...nformation in the local certificate for signature authentication regardless of the local identity or ike identity configuration Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware 5 based peer device Comware 5 supports only DN for signature authentication If the ike signature identity from certificate command is not conf...

Page 559: ... data If you do not configure this command the device looks for a route in the VPN instance where the receiving interface resides to forward the data Examples Specify the inside VPN instance vpn1 for IKE profile prof1 Sysname system view Sysname ike profile prof1 Sysname ike profile prof1 inside vpn vpn instance vpn1 keychain Use keychain to specify an IKE keychain for pre shared key authenticatio...

Page 560: ...he DN in the local certificate as the local ID fqdn fqdn name Uses an FQDN as the local ID The fqdn name argument is a case sensitive string of 1 to 255 characters such as www test com If you do not specify this argument the device name configured by using the sysname command is used as the local FQDN user fqdn user fqdn name Uses a user FQDN as the local ID The user fqdn name argument is a case s...

Page 561: ...s The vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters To specify an IP address on the public network do not specify this option Usage guidelines Use this command to specify which address or interface can use the IKE keychain for IKE negotiation Specify the local address configured in IPsec policy or IPsec policy template view using the loca...

Page 562: ... instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters To specify an IP address on the public network do not specify this option Usage guidelines Use this command to specify which address or interface can use the IKE profile for IKE negotiation Specify the local address configured in IPsec policy or IPsec policy template view using the local address ...

Page 563: ...ity Uses the specified information as the peer ID for IKE profile matching The specified information is configured on the peer by using the local identity command address ipv4 address mask mask length Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKE profile matching The mask length argument is in the range of 0 to 32 address range low ipv4 address high ipv4 address Uses a...

Page 564: ...ile prof1 Configure a peer ID with the identity type of FQDN and the value of www test com Sysname ike profile prof1 match remote identity fqdn www test com Configure a peer ID with the identity type of IP address and the value of 10 1 1 1 Sysname ike profile prof1 match remote identity address 10 1 1 1 Related commands local identity pre shared key Use pre shared key to configure a pre shared key...

Page 565: ...of 1 to 128 characters and its encrypted form is a string of 15 to 201 characters Usage guidelines The address option or the hostname option specifies the peer with which the device can use the pre shared key to perform IKE negotiation Two peers must be configured with the same pre shared key to pass pre shared key authentication In FIPS mode if you do not specify the cipher string option you spec...

Page 566: ...ew Sysname ike keychain key1 Sysname ike keychain key1 priority 10 priority IKE profile view Use priority to specify a priority for an IKE profile Use undo priority to restore the default Syntax priority priority undo priority Default The priority of an IKE profile is 100 Views IKE profile view Predefined user roles network admin Parameters priority priority Specifies a priority number in the rang...

Page 567: ... to six IKE proposals by their numbers in the range of 1 to 65535 An IKE proposal specified earlier has a higher priority Usage guidelines When acting as the initiator the device sends the specified IKE proposals to its peer for IKE negotiation When acting as the responder the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator Examples Sp...

Page 568: ...ags RD READY ST STAYALIVE RL REPLACED FD FADING TO TIMEOUT Delete the IKE SA with the connection ID 2 Sysname reset ike sa connection id 2 Display the current IKE SAs Sysname display ike sa Total IKE SAs 1 Connection ID Remote Flag DOI 1 202 38 0 2 RD ST IPSEC Flags RD READY ST STAYALIVE RL REPLACED FD FADING TO TIMEOUT reset ike statistics Use reset ike statistics command to clear IKE MIB statist...

Page 569: ...name ike proposal 1 Sysname ike proposal 1 sa duration 600 Related commands display ike proposal snmp agent trap enable ike Use snmp agent trap enable ike command to enable SNMP notifications for IKE Use undo snmp agent trap enable ike to disable SNMP notifications for IKE Syntax snmp agent trap enable ike attr not support auth failure cert type unsupport cert unavailable decrypt failure encrypt f...

Page 570: ...id protocol failures invalid sign Specifies notifications about invalid signature failures no sa failure Specifies notifications about SA not found failures proposal add Specifies notifications about events of adding IKE proposals proposal delete Specifies notifications about events of deleting IKE proposals tunnel start Specifies notifications about events of creating IKE tunnels tunnel stop Spec...

Page 571: ...sting authorization attributes The username is a case sensitive string of 1 to 55 characters and must meet the following requirements The username cannot contain the domain name The username cannot contain a forward slash backslash vertical bar colon asterisk question mark left angle bracket right angle bracket or an at sign The username cannot be a al or all Usage guidelines The AAA authorization...

Page 572: ...dress in the range of 0 to 32 ipv6 ipv6 address Specifies the IPv6 address of the IKEv2 peer prefix length Specifies the prefix length of the IPv6 address in the range of 0 to 128 Usage guidelines Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same Examples Create a...

Page 573: ...You can specify only one local identity authentication method You can specify multiple remote identity authentication methods by executing this command multiple times when there are multiple remote ends whose authentication methods are unknown If you use RSA DSA or ECDSA signature authentication you must specify PKI domains for obtaining certificates You can specify PKI domains by using the certif...

Page 574: ...he sign or verify keyword the PKI domain is used for both purposes You can specify a PKI domain for each purpose by executing this command multiple times If you specify the same PKI domain for both purposes the later configuration takes effect For example if you execute certificate domain abc sign and certificate domain abc verify successively the PKI domain abc will be used only for verification ...

Page 575: ...ion data such as gateway address internal IP address and route The exchange includes data request and response and data push and response The enterprise center can push IP addresses to branches The branches can request IP addresses but the requested IP addresses cannot be used You can specify both request and set for the device If you specify request for the local end the remote end will respond i...

Page 576: ...amples Display the configuration of all IKEv2 policies Sysname display ikev2 policy IKEv2 policy 1 Priority 100 Match local address 1 1 1 1 Match local address ipv6 1 1 1 1 Match VRF vpn1 Proposal 1 Proposal 2 IKEv2 policy default Match local address Any Match VRF Any Proposal default Table 78 Command output Field Description IKEv2 policy Name of the IKEv2 policy Priority Priority of the IKEv2 pol...

Page 577: ...ile IKEv2 profile 1 Priority 100 Match criteria Local address 1 1 1 1 Local address GigabitEthernet1 0 1 Local address 1 1 1 1 Remote identity address 3 3 3 3 32 VRF vrf1 Local identity address 1 1 1 1 Local authentication method pre share Remote authentication methods pre share Keychain Keychain1 Sign certificate domain Domain1 abc Verify certificate domain Domain2 yy SA duration 500 seconds DPD ...

Page 578: ...is field displays Disabled Config exchange Configuration exchange settings request The local end sends request messages carrying the configuration request payload during the IKE_AUTH exchange set accept The local end accepts the configuration set payload carried in Info messages set send The local end sends Info messages carrying the configuration set payload NAT keepalive NAT keepalive interval i...

Page 579: ...F SHA1 MD5 DH group MODP1536 Group 5 MODP1024 Group 2 Table 80 Command output Field Description IKEv2 proposal Name of the IKEv2 proposal Encryption Encryption algorithms that the IKEv2 proposal uses Integrity Integrity protection algorithms that the IKEv2 proposal uses PRF PRF algorithms that the IKEv2 proposal uses DH group DH groups that the IKEv2 proposal uses Related commands ikev2 proposal d...

Page 580: ...ers this command displays summary information about all IKEv2 SAs Examples Display summary information about all IKEv2 SAs Sysname display ikev2 sa Tunnel ID Local Remote Status 1 1 1 1 1 500 1 1 1 2 500 EST 2 2 2 2 1 500 2 2 2 2 500 EST Status IN NEGO Negotiating EST Established DEL Deleting Display summary IKEv2 SA information for the remote IP address 1 1 1 2 Sysname display ikev2 sa remote 1 1...

Page 581: ...AT traversal Not detected DPD Interval 20 secs retry interval 2 secs Transmitting entity Initiator Local window 1 Remote window 1 Local request message ID 2 Remote request message ID 2 Local next message ID 0 Remote next message ID 0 Pushed IP address 192 168 1 5 Assigned IP address 192 168 2 24 Display detailed IKEv2 SA information for the remote IP address 1 1 1 2 Sysname display ikev2 sa remote...

Page 582: ...l IP Port IP address and port number of the local security gateway Remote IP Port IP address and port number of the remote security gateway Outside VRF Name of the VPN instance to which the protected outbound data flow belongs If the protected outbound data flow belongs to the public network this field displays a hyphen Inside VRF Name of the VPN instance to which the protected inbound data flow b...

Page 583: ... entity Role of the local end in IKEv2 negotiation initiator or responder Local window Window size that the local end uses Remote window Window size that the remote end uses Local request message ID ID of the request message that the local end is about to send Remote request message ID ID of the request message that the remote end is about to send Local next message ID ID of the message that the l...

Page 584: ... notify 0 No enough resource 0 Enqueue error 0 No IKEv2 SA 0 Packet error 0 Other error 0 Retransmit timeout 0 DPD detect error 0 Del child for IPsec message 1 Del child for deleting IKEv2 SA 1 Del child for receiving delete message 0 Related commands reset ikev2 statistics dh Use dh to specify DH groups to be used in IKEv2 key negotiation Use undo group to restore the default Syntax In non FIPS m...

Page 585: ...he best trade off between processing performance and security choose proper DH groups for your network You must specify a minimum of one DH group for an IKEv2 proposal Otherwise the proposal is incomplete and useless You can specify multiple DH groups for an IKEv2 proposal A group specified earlier has a higher priority Examples Specify DH groups 1 for the IKEv2 proposal 1 Sysname system view Sysn...

Page 586: ...he retry interval so that the device will not trigger a new round of DPD during a DPD retry Examples Configure on demand IKEv2 DPD Set the DPD triggering interval to 10 seconds and the retry interval to 5 seconds Sysname system view Sysname ikev2 profile profile1 Sysname ikev2 profile profile1 dpd interval 10 retry 5 on demand Related commands ikev2 dpd encryption Use encryption to specify encrypt...

Page 587: ...mum of one encryption algorithm for an IKEv2 proposal Otherwise the proposal is incomplete and useless You can specify multiple encryption algorithms for an IKEv2 proposal An algorithm specified earlier has a higher priority Examples Specify the 168 bit 3DES algorithm in CBC mode as the encryption algorithm for the IKE proposal prop1 Sysname system view Sysname ikev2 proposal prop1 Sysname ikev2 p...

Page 588: ...f the peer ipv6 ipv6 address Specifies the IPv6 address of the peer fqdn fqdn name Specifies the FQDN of the peer The fqdn name argument is a case sensitive string of 1 to 255 characters such as www test com email email string Specifies the email address of the peer The email string argument is a case sensitive string of 1 to 255 characters in the format defined by RFC 822 such as esec test com ke...

Page 589: ...iew Predefined user roles network admin Parameters address ipv4 address ipv6 ipv6 address Uses an IPv4 or IPv6 address as the local ID dn Uses the DN in the local certificate as the local ID email email string Uses an email address as the local ID The email string argument is a case sensitive string of 1 to 255 characters in the format defined by RFC 822 such as sec abc com fqdn fqdn name Uses an ...

Page 590: ... address Specifies an IPv4 address range The start ipv4 address argument specifies the start IPv4 address The end ipv4 address argument specifies the end IPv4 address mask Specifies the IPv4 address mask mask length Specifies the length of the IPv4 address mask Usage guidelines An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses Examples Configure an IKEv2 IPv4 address pool with ...

Page 591: ...ries the correct cookie the responder considers the initiator valid and proceeds with the negotiation If the carried cookie is incorrect the responder terminates the negotiation This feature can protect the responder against DoS attacks which aim to exhaust the responder s system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses Examples Enable the cookie ch...

Page 592: ...rofile view the IKEv2 DPD settings in system view apply Examples Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for 15 seconds Sysname system view Sysname ikev2 dpd interval 15 on demand Configure the device to trigger IKEv2 DPD every 15 seconds Sysname system view Sysname ikev2 dpd interval 15 periodic Related command...

Page 593: ...ign len 80 Related commands ipv6 address group ikev2 keychain Use ikev2 keychain to create an IKEv2 keychain and enter its view or enter the view of an existing IKEv2 keychain Use undo ikev2 keychain to delete an IKEv2 keychain Syntax ikev2 keychain keychain name undo ikev2 keychain keychain name Default No IKEv2 keychains exist Views System view Predefined user roles network admin Parameters keyc...

Page 594: ...device must send NAT keepalive packets regularly to its peer to keep the NAT session alive so that the peer can access the device The NAT keepalive interval must be shorter than the NAT session lifetime Examples Set the NAT keepalive interval to 5 seconds Sysname system view Sysname ikev2 nat keepalive 5 ikev2 policy Use ikev2 policy to create an IKEv2 policy and enter its view or enter the view o...

Page 595: ...the initiator uses an IPsec policy that is bound to a source interface the initiator looks up an IKEv2 policy by the IP address of the source interface You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria If no IKEv2 policy is configured the default IKEv2 policy is used You cannot enter the view of the default IKEv2 policy nor modify it Examples Crea...

Page 596: ... An IKEv2 proposal named default exists which has the lowest priority and uses the following settings In non FIPS mode Encryption algorithm AES CBC 128 and 3DES Integrity protection algorithm HMAC SHA1 and HMAC MD5 PRF algorithm HMAC SHA1 and HMAC MD5 DH group Group 5 and group 2 In FIPS mode Encryption algorithm AES CBC 128 and AES CTR 128 Integrity protection algorithm HMAC SHA1 and HMAC SHA256 ...

Page 597: ...sal prop1 dh group2 Related commands encryption algorithm integrity prf dh inside vrf Use inside vrf to specify an inside VPN instance Use undo inside vrf to restore the default Syntax inside vrf vrf name undo inside vrf Default No inside VPN instance is specified The internal and external networks are in the same VPN instance The device forwards protected data to this VPN instance Views IKEv2 pro...

Page 598: ... user roles network admin Parameters aes xcbc mac Uses the HMAC AES XCBC MAC algorithm md5 Uses the HMAC MD5 algorithm sha1 Uses the HMAC SHA1 algorithm sha256 Uses the HMAC SHA256 algorithm sha384 Uses the HMAC SHA384 algorithm sha512 Uses the HMAC SHA512 algorithm Usage guidelines You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal Otherwise the proposal is inc...

Page 599: ... You can specify only one IKEv2 keychain for an IKEv2 profile You can specify the same IKEv2 keychain for different IKEv2 profiles Examples Create an IKEv2 profile named profile1 Sysname system view Sysname ikev2 profile profile1 Specify the IKEv2 keychain keychain1 Sysname ikev2 profile profile1 keychain keychain1 Related commands display ikev2 profile ikev2 keychain match local IKEv2 profile vie...

Page 600: ...gured the match remote identity address range 2 2 2 1 2 2 2 100 command for IKEv2 profile A and the match remote identity address range 2 2 2 1 2 2 2 10 command for IKEv2 profile B For the local interface with the IP address 3 3 3 3 to negotiate with the peer 2 2 2 6 IKEv2 profile A is preferred because IKEv2 profile A was configured earlier To use IKEv2 profile B you can use this command to restr...

Page 601: ...me ikev2 policy policy1 match local address 3 3 3 3 Related commands display ikev2 policy match vrf match remote Use match remote to configure a peer ID that an IKEv2 profile matches Use undo match remote to delete a peer ID that an IKEv2 profile matches Syntax match remote certificate policy name identity address ipv4 address mask mask length range low ipv4 address high ipv4 address ipv6 ipv6 add...

Page 602: ...D for IKEv2 profile matching The email string argument is a case sensitive string of 1 to 255 characters in the format defined by RFC 822 such as sec abc com key id key id Uses the peer s key ID as the peer ID for IKEv2 profile matching The key id argument is a case sensitive string of 1 to 255 characters and is usually a vendor specific string for doing proprietary types of identification Usage g...

Page 603: ...policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs IKEv2 policies with this command configured are looked up before those that do not have this command configured ...

Page 604: ...e an IKEv2 profile named profile1 Sysname system view Sysname ikev2 profile profile1 Specify vrf1 as the VPN instance that the IKEv2 profile belongs to Sysname ikev2 profile profile1 match vrf name vrf1 Related commands match remote nat keepalive Use nat keepalive to set the NAT keepalive interval Use ikev2 nat keepalive to restore the default Syntax nat keepalive seconds undo nat keepalive Defaul...

Page 605: ...ed user roles network admin Parameters name Specifies a name for the IKEv2 peer The peer name is a case insensitive string of 1 to 63 characters Usage guidelines An IKEv2 peer contains a pre shared key and the criteria for looking up the peer The criteria for peer lookup includes the peer s host name IP address IP address range and ID The IKEv2 negotiation initiator uses the peer s host name IP ad...

Page 606: ...racters In FIPS mode its plaintext form is a string of 15 to 128 characters and its encrypted form is a string of 15 to 201 characters Usage guidelines If you specify the local or remote keyword you configure an asymmetric key If you specify neither the local nor the remote keyword you configure a symmetric key To delete a key by using the undo command you must specify the correct key type For exa...

Page 607: ...ame ikev2 keychain telecom peer peer1 quit Create an IKEv2 peer named peer2 Sysname ikev2 keychain telecom peer peer2 Configure asymmetric plaintext pre shared keys The key for certificate signing is 11 key b and the key for certificate authentication is 111 key a Sysname ikev2 keychain telecom peer peer2 pre shared key local plaintext 111 key b Sysname ikev2 keychain telecom peer peer2 pre shared...

Page 608: ...F algorithms with HMAC SHA1 preferred Sysname ikev2 proposal prop1 prf sha1 md5 Related commands ikev2 proposal integrity priority IKEv2 policy view Use priority to set a priority for an IKEv2 policy Use undo priority to restore the default Syntax priority priority undo priority Default The priority of an IKEv2 policy is 100 Views IKEv2 policy view Predefined user roles network admin Parameters pr...

Page 609: ...IKEv2 profile in the range of 1 to 65535 A smaller number represents a higher priority Usage guidelines The priority set by this command can only be used to adjust the match order of IKEv2 profiles Examples Set the priority to 10 for the IKEv2 profile profile1 Sysname system view Sysname ikev2 profile profile1 Sysname ikev2 profile profile1 priority 10 proposal Use proposal to specify an IKEv2 pro...

Page 610: ...al Deletes IKEv2 SAs for a local IP address remote Deletes IKEv2 SAs for a remote IP address ipv4 address Specifies a local or remote IPv4 address ipv6 ipv6 address Specifies a local or remote IPv6 address vpn instance vpn instance name Deletes IKEv2 SAs in a VPN instance The vpn instance name argument represents the VPN instance name a case sensitive string of 1 to 31 characters To delete IKEv2 S...

Page 611: ...play information about IKEv2 SAs again Verify that the IKEv2 SA is deleted Sysname display ikev2 sa Tunnel ID Local Remote Status 2 2 2 2 1 500 2 2 2 2 500 EST Status IN NEGO Negotiating EST Established DEL Deleting Related commands display ikev2 sa reset ikev2 statistics Use reset ikev2 statistics to clear IKEv2 statistics Syntax reset ikev2 statistics Views User view Predefined user roles networ...

Page 612: ...t of negotiation time However the longer the lifetime the higher the possibility that attackers collect enough information and initiate attacks Two peers can have different IKEv2 SA lifetime settings and they do not perform lifetime negotiation The peer with a shorter lifetime always initiates the rekeying Examples Create an IKEv2 profile named profile1 Sysname system view Sysname ikev2 profile pr...

Page 613: ...ons Syntax Centralized devices in standalone mode display ssh server session status Distributed devices in standalone mode centralized devices in IRF mode display ssh server session slot slot number status Distributed devices in IRF mode display ssh server session chassis chassis number slot slot number status Views Any view Predefined user roles network admin network operator Parameters session D...

Page 614: ...rver Whether the Stelnet server is enabled SSH version SSH protocol version When the SSH supports SSH1 the protocol version is 1 99 Otherwise the protocol version is 2 SSH authentication timeout Authentication timeout timer SSH server key generating interval Minimum interval for updating the RSA server key pair SSH authentication retries Maximum number of authentication attempts for SSH users SFTP...

Page 615: ...user information Use display ssh user information to display information about SSH users on an SSH server Syntax display ssh user information username Views Any view Predefined user roles network admin network operator Parameters username Specifies an SSH username a case sensitive string of 1 to 80 characters If you do not specify an SSH user this command displays information about all SSH users U...

Page 616: ...entication Service type Service types Stelnet SFTP SCP NETCONF If multiple service types are available for an SSH user they are separated by vertical bars Related commands ssh user scp server enable Use scp server enable to enable the SCP server Use undo scp server enable to disable the SCP server Syntax scp server enable undo scp server enable Default The SCP server is disabled Views System view ...

Page 617: ...SFTP server Use undo sftp server idle timeout to restore the default Syntax sftp server idle timeout time out value undo sftp server idle timeout Default The idle timeout timer is 10 minutes for SFTP connections Views System view Predefined user roles network admin Parameters time out value Specifies an idle timeout timer in the range of 1 to 35791 minutes Usage guidelines If an SFTP connection is...

Page 618: ...SSH redirect listening port number in the range of 4000 to 50000 Usage guidelines The following matrix shows the command and hardware compatibility Hardware Command compatibility MSR954 JH296A JH297A JH298A JH299A JH373A No MSR958 JH300A JH301A No MSR1002 4 1003 8S Yes MSR2003 Yes MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 No MSR4060 4080 No The SSH redirect server can provide the SSH redirect ...

Page 619: ...directed SSH connection Syntax ssh redirect disconnect Views AUX line view TTY line view Predefined user roles network admin Usage guidelines The following matrix shows the command and hardware compatibility Hardware Command compatibility MSR954 JH296A JH297A JH298A JH299A JH373A No MSR958 JH300A JH301A No MSR1002 4 1003 8S Yes MSR2003 Yes MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 No MSR4060 4...

Page 620: ...line on the SSH redirect server must use the same transmission rate as the destination device To set the transmission rate for the user line use the speed command As a best practice configure the user line on the SSH redirect server to use the same number of stop bits as the destination device To identify whether the user line and the destination device are using the same number of stop bits use t...

Page 621: ...o 50000 Usage guidelines The following matrix shows the command and hardware compatibility Hardware Command compatibility MSR954 JH296A JH297A JH298A JH299A JH373A No MSR958 JH300A JH301A No MSR1002 4 1003 8S Yes MSR2003 Yes MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 No MSR4060 4080 No The device redirects only SSH connection requests destined for the SSH redirect listening port The redirected ...

Page 622: ...ix shows the command and hardware compatibility Hardware Command compatibility MSR954 JH296A JH297A JH298A JH299A JH373A No MSR958 JH300A JH301A No MSR1002 4 1003 8S Yes MSR2003 Yes MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 No MSR4060 4080 No The redirected SSH connection is idle when no data is received from the SSH client This command sets the maximum length of time that the redirected conne...

Page 623: ...n initiate SSH connections to the device when any one of the following conditions exists You do not specify an ACL The specified ACL does not exist The specified ACL does not have rules The ACL takes effect only on SSH connections that are initiated after the ACL configuration If you execute this command multiple times the most recent configuration takes effect Examples Configure ACL 2001 and perm...

Page 624: ...y authentication process and a password authentication process The server first uses publickey authentication and then uses password authentication to authenticate the SSH user This configuration does not affect logged in users It affects only users that attempt to log in after the configuration Examples Set the maximum number of authentication attempts to 4 for SSH users Sysname system view Sysna...

Page 625: ...rver compatible ssh1x enable Use ssh server compatible ssh1x enable to enable the SSH server to support SSH1 clients Use undo ssh server compatible ssh1x enable to restore the default Syntax ssh server compatible ssh1x enable undo ssh server compatible ssh1x enable Default The SSH server does not support SSH1 clients Views System view Predefined user roles network admin network operator Usage guid...

Page 626: ... of 0 to 63 A bigger DSCP value represents a higher priority Usage guidelines The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet Examples Set the DSCP value to 30 for IPv4 SSH packets Sysname system view Sysname ssh server dscp 30 ssh server enable Use ssh server enable to enable the Stelnet server Use undo ssh server enable to disab...

Page 627: ... by its number in the range of 4000 to 4999 Usage guidelines The specified ACL filters IPv6 SSH clients connection requests Only the IPv6 SSH clients that the ACL permits can initiate SSH connections to the device All IPv6 SSH clients can initiate SSH connections to the device when any one of the following conditions exists You do not specify an ACL The specified ACL does not exist The specified A...

Page 628: ...et specifies the priority of the packet and affects the transmission priority of the packet Examples Set the DSCP value to 30 for IPv6 SSH packets Sysname system view Sysname ssh server ipv6 dscp 30 ssh server rekey interval Use ssh server rekey interval to set the minimum interval for updating the RSA server key pair Use undo ssh server rekey interval to restore the default Syntax ssh server reke...

Page 629: ...l 3 Related commands display ssh server ssh user Use ssh user to create an SSH user and specify the service type and authentication method Use undo ssh user to delete an SSH user Syntax In non FIPS mode ssh user username service type all netconf scp sftp stelnet authentication type password any password publickey publickey assign pki domain domain name publickey keyname undo ssh user username In F...

Page 630: ...he PKI domain that verifies the client s digital certificate The domain name argument is a case insensitive string of 1 to 31 characters excluding characters listed in Table 86 The server uses the CA certificate that is saved in the PKI domain to verify the client s digital certificate In this scenario the server does not need to save clients public keys in advance Table 86 Invalid characters for ...

Page 631: ...or password publickey the working directory is specified by the authorization attribute command in the associated local user view If the authentication method is password the working directory is authorized by AAA For an SSH user the user role also depends on the authentication method If the authentication method is publickey or password publickey the user role is specified by the authorization at...

Page 632: ...r sftp bye Sysname cd Use cd to change the working directory on the SFTP server Syntax cd remote path Views SFTP client view Predefined user roles network admin Parameters remote path Specifies the name of a directory on the server Usage guidelines You can use the cd command to return to the upper level directory You can use the cd command to return to the root directory of the system Examples Cha...

Page 633: ...p Current Directory is sftp pwd Remote working directory sftp delete Use delete to delete a file from the SFTP server Syntax delete remote file Views SFTP client view Predefined user roles network admin Parameters remote file Specifies a file by its name Usage guidelines This command has the same function as the remove command Examples Delete the file temp c from the SFTP server sftp delete temp c...

Page 634: ...der a directory This command has the same function as the ls command Examples Display detailed information about the files and subdirectories under the current directory including the files and subdirectories with names starting with dots sftp dir a drwxrwxrwx 2 1 1 512 Dec 18 14 12 drwxrwxrwx 2 1 1 512 Dec 18 14 12 rwxrwxrwx 1 1 1 301 Dec 18 14 11 010 pub rwxrwxrwx 1 1 1 301 Dec 18 14 12 011 pub ...

Page 635: ...rce to display the source IP address configured for the Stelnet client Syntax display ssh client source Views Any view Predefined user roles network admin network operator Examples Display the source IP address configured for the Stelnet client Sysname display ssh client source The source IP address of the SSH client is 192 168 0 1 The source IPv6 address of the SSH client is 2 2 2 2 Related comma...

Page 636: ...the name for the local file If you do not specify this argument the file will be saved locally with the same name as the file on the SFTP server Examples Download the file temp1 c and save it as temp c locally sftp get temp1 c temp c Fetching temp1 c to temp c temp c 100 1424 1 4KB s 00 00 help Use help to display help information on the SFTP client Syntax help Views SFTP client view Predefined us...

Page 637: ...help ls Use ls to display information about the files and subdirectories under a directory Syntax ls a l remote path Views SFTP client view Predefined user roles network admin Parameters a Displays detailed information about files and subdirectories under a directory in a list including the files and subdirectories with names starting with dots l Displays detailed information about the files and s...

Page 638: ...excluding the files and subdirectories with names starting with dots sftp ls l rwxrwxrwx 1 1 1 301 Dec 18 14 11 010 pub rwxrwxrwx 1 1 1 301 Dec 18 14 12 011 pub rwxrwxrwx 1 1 1 301 Dec 18 14 12 012 pub NOTE The output format varies by SSH server device model mkdir Use mkdir to create a directory on the SFTP server Syntax mkdir remote path Views SFTP client view Predefined user roles network admin ...

Page 639: ...24 1 4KB s 00 00 pwd Use pwd to display the current working directory of the SFTP server Syntax pwd Views SFTP client view Predefined user roles network admin Examples Display the current working directory of the SFTP server sftp pwd Remote working directory The output shows that the current working directory is the root directory quit Use quit to terminate the SFTP connection and return to user v...

Page 640: ...emp c Removing temp c rename Use rename to change the name of a file or directory on the SFTP server Syntax rename old name new name Views SFTP client view Predefined user roles network admin Parameters oldname Specifies the name of an existing file or directory newname Specifies a new name for the existing file or directory Examples Change the name of a file on the SFTP server from temp1 c to tem...

Page 641: ...face interface type interface number ip ip address In FIPS mode scp server port number vpn instance vpn instance name put get source file name destination file name identity key ecdsa rsa prefer compress zlib prefer ctos cipher aes128 cbc aes256 cbc prefer ctos hmac sha1 sha1 96 prefer kex dh group14 sha1 prefer stoc cipher aes128 cbc aes256 cbc prefer stoc hmac sha1 sha1 96 public key keyname sou...

Page 642: ...c md5 md5 96 Specifies the HMAC algorithm hmac md5 96 sha1 Specifies the HMAC algorithm hmac sha1 sha1 96 Specifies the HMAC algorithm hmac sha1 96 prefer kex Specifies the preferred key exchange algorithm The default is dh group exchange sha1 in non FIPS mode and dh group14 sha1 in FIPS mode dh group exchange sha1 Specifies the key exchange algorithm diffie hellman group exchange sha1 dh group1 s...

Page 643: ...me destination file name identity key dsa ecdsa rsa prefer compress zlib prefer ctos cipher 3des cbc aes128 cbc aes256 cbc des cbc prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange sha1 dh group1 sha1 dh group14 sha1 prefer stoc cipher 3des cbc aes128 cbc aes256 cbc des cbc prefer stoc hmac md5 md5 96 sha1 sha1 96 public key keyname source interface interface type interface num...

Page 644: ...y strength and computation time 3des cbc Specifies the encryption algorithm 3des cbc des cbc Specifies the encryption algorithm des cbc aes128 cbc Specifies the encryption algorithm aes128 cbc aes256 cbc Specifies the encryption algorithm aes256 cbc prefer ctos hmac Specifies the preferred client to server HMAC algorithm The default is sha1 Algorithms sha1 and sha1 96 provide stronger security but...

Page 645: ...ha1 Preferred server to client HMAC algorithm sha1 96 Preferred compression algorithm zlib Sysname scp ipv6 2000 1 get abc txt prefer kex dh group14 sha1 prefer stoc cipher aes128 cbc prefer ctos hmac sha1 prefer stoc hmac sha1 96 prefer compress zlib public key svkey sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view Syntax In non FIPS mode sftp server port ...

Page 646: ... sha1 Algorithms sha1 and sha1 96 provide stronger security but cost more computation time than algorithms md5 and md5 96 md5 Specifies the HMAC algorithm hmac md5 md5 96 Specifies the HMAC algorithm hmac md5 96 sha1 Specifies the HMAC algorithm hmac sha1 sha1 96 Specifies the HMAC algorithm hmac sha1 96 prefer kex Specifies the preferred key exchange algorithm The default is dh group exchange sha...

Page 647: ... dh group14 sha1 prefer stoc cipher aes128 cbc prefer ctos hmac sha1 prefer stoc hmac sha1 96 prefer compress zlib public key svkey sftp client ipv6 source Use sftp client ipv6 source to configure the source IPv6 address for SFTP packets Use undo sftp client ipv6 source to restore the default Syntax sftp client ipv6 source interface interface type interface number ipv6 ipv6 address undo sftp clien...

Page 648: ...nterface interface type interface number Specifies a source interface by its type and number The SFTP packets use the primary IPv4 address of the interface as their source address ip ip address Specifies a source IPv4 address Usage guidelines If you execute this command multiple times the most recent configuration takes effect This command takes effect on all SFTP connections The source IPv4 addre...

Page 649: ...the server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters i interface type interface number Specifies an output interface by its type and number for IPv6 SFTP packets This option is used only when the server uses a link local address to provide the SFTP service for the client The specified output interface on the SFTP client must have a link local address i...

Page 650: ...the IPv6 SFTP packets The value range for the dscp value argument is 0 to 63 and the default value is 48 The DSCP value determines the transmission priority of the packet public key keyname Specifies the host public key of the server that the client uses to authenticate the server The keyname argument is a case insensitive string of 1 to 64 characters source Specifies a source IPv6 address or sour...

Page 651: ...ss ipv6 ipv6 address Specifies a source IPv6 address Usage guidelines If you execute this command multiple times the most recent configuration takes effect This command takes effect on all IPv6 Stelnet connections The source IPv6 address specified in the ssh2 ipv6 command takes effect only on the current IPv6 Stelnet connection If you specify the source IPv6 address both in this command and the ss...

Page 652: ...192 168 0 1 as the source IPv4 address for SSH packets Sysname system view Sysname ssh client source ip 192 168 0 1 Related commands display ssh client source ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server Syntax In non FIPS mode ssh2 server port number vpn instance vpn instance name identity key dsa ecdsa rsa prefer compress zlib prefer ctos cipher 3des cbc aes128 cbc aes256 cb...

Page 653: ...ion algorithm 3des cbc des cbc Specifies the encryption algorithm des cbc aes128 cbc Specifies the encryption algorithm aes128 cbc aes256 cbc Specifies the encryption algorithm aes256 cbc prefer ctos hmac Specifies the preferred client to server HMAC algorithm The default is sha1 Algorithms sha1 and sha1 96 provide stronger security but cost more computation time than algorithms md5 and md5 96 md5...

Page 654: ...SH connection when the server reboots or malfunctions For the escape sequence to take effect you must enter it at the very beginning of a line If you have entered other characters or performed operations in a line enter the escape sequence in the next line As a best practice use the default escape character Do not use any character in SSH usernames as the escape character Examples Establish a conn...

Page 655: ...et client must have a link local address identity key Specifies a public key algorithm for the client The default is dsa in non FIPS mode and is rsa in FIPS mode If the server uses publickey authentication you must specify this keyword The client generates the digital signature by using the local private key that is associated with the specified algorithm dsa Specifies the public key algorithm dsa...

Page 656: ... string of 1 to 64 characters source Specifies a source IPv6 address or source interface for IPv6 SSH packets By default the device automatically selects a source IPv6 address for IPv6 SSH packets in compliance with RFC 3484 As a best practice to ensure successful IPv6 Stelnet connections specify a loopback interface or dialer interface as the source interface or specify that interface s IPv6 addr...

Page 657: ...thms dsa rsa ecdsa Encryption algorithms aes128 cbc 3des cbc des cbc aes256 cbc MAC algorithms sha1 md5 md5 96 sha1 96 Table 87 Command output Field Description Key exchange algorithms Key exchange algorithms in descending order of priority for algorithm negotiation Public key algorithms Public key algorithms in descending order of priority for algorithm negotiation Encryption algorithms Encryptio...

Page 658: ...on algorithm aes128 cbc aes256 cbc Specifies the encryption algorithm aes256 cbc 3des cbc Specifies the encryption algorithm 3des cbc des cbc Specifies the encryption algorithm des cbc Usage guidelines If you specify the encryption algorithms SSH2 uses only the specified algorithms for algorithm negotiation The algorithm specified earlier has a higher priority during negotiation Examples Specify t...

Page 659: ...key exchange algorithm diffie hellman group exchange sha1 dh group14 sha1 Specifies the key exchange algorithm diffie hellman group14 sha1 dh group1 sha1 Specifies the key exchange algorithm diffie hellman group1 sha1 Usage guidelines If you specify the key exchange algorithms SSH2 uses only the specified algorithms for algorithm negotiation The algorithm specified earlier has a higher priority du...

Page 660: ...c sha1 sha1 96 Specifies the HMAC algorithm hmac sha1 96 md5 Specifies the HMAC algorithm hmac md5 md5 96 Specifies the HMAC algorithm hmac md5 96 Usage guidelines If you specify the MAC algorithms SSH2 uses only the specified algorithms for algorithm negotiation The algorithm specified earlier has a higher priority during negotiation Examples Specify the algorithm md5 as the MAC algorithm for SSH...

Page 661: ...on Views System view Predefined user roles network admin Parameters ecdsa Specifies the public key algorithm ecdsa dsa Specifies the public key algorithm dsa rsa Specifies the public key algorithm rsa Usage guidelines If you specify the public key algorithms SSH2 uses only the specified algorithms for algorithm negotiation The algorithm specified earlier has a higher priority during negotiation Ex...

Page 662: ...n to the client Views SSL server policy view Predefined user roles network admin Usage guidelines This feature causes additional overheads in the SSL negotiation process Enable it only when the SSL client do not have the complete certificate chain to verify the server certificate Examples Sysname system view Sysname ssl server policy policy1 Sysname ssl server policy policy1 certificate chain send...

Page 663: ...A rsa_des_cbc_sha Specifies the cipher suite that uses key exchange algorithm RSA data encryption algorithm DES_CBC and MAC algorithm SHA rsa_rc4_128_md5 Specifies the cipher suite that uses key exchange algorithm RSA data encryption algorithm 128 bit RC4 and MAC algorithm MD5 rsa_rc4_128_sha Specifies the cipher suite that uses key exchange algorithm RSA data encryption algorithm 128 bit RC4 and ...

Page 664: ...Predefined user roles network admin Parameters enable Enables mandatory SSL client authentication optional Enables optional SSL client authentication Usage guidelines SSL uses digital certificates to authenticate communicating parties For more information about digital certificates see Security Configuration Guide Mandatory SSL client authentication The SSL server requires an SSL client to submit ...

Page 665: ...n Sysname system view Sysname ssl server policy policy1 Sysname ssl server policy policy1 client verify optional Disable SSL client authentication Sysname system view Sysname ssl server policy policy1 Sysname ssl server policy policy1 undo client verify Related commands display ssl server policy display ssl client policy Use display ssl client policy to display SSL client policy information Syntax...

Page 666: ...ive string of 1 to 31 characters If you do not specify a policy name this command displays information about all SSL server policies Examples Display information about SSL server policy policy1 Sysname display ssl server policy policy1 SSL server policy policy1 PKI domain server domain Ciphersuites DHE_RSA_AES_128_CBC_SHA RSA_AES_128_CBC_SHA Session cache size 600 Caching timeout 3600 seconds Clie...

Page 667: ...icate through the specified PKI domain If you specify a PKI domain for an SSL server policy the SSL server that uses the SSL server policy will obtain its digital certificate through the specified PKI domain Examples Specify PKI domain client domain for the SSL client policy policy1 Sysname system view Sysname ssl client policy policy1 Sysname ssl client policy policy1 pki domain client domain Spe...

Page 668: ... that uses key exchange algorithm RSA data encryption algorithm RC2 and MAC algorithm MD5 exp_rsa_rc4_md5 Specifies the export cipher suite that uses key exchange algorithm RSA data encryption algorithm RC4 and MAC algorithm MD5 rsa_3des_ede_cbc_sha Specifies the cipher suite that uses key exchange algorithm RSA data encryption algorithm 3DES_EDE_CBC and MAC algorithm SHA rsa_aes_128_cbc_sha Speci...

Page 669: ...ithm RSA data encryption algorithm 128 bit AES_CBC and MAC algorithm SHA Sysname system view Sysname ssl client policy policy1 Sysname ssl client policy policy1 prefer cipher rsa_aes_128_cbc_sha Related commands ciphersuite display ssl client policy server verify enable Use server verify enable to enable the SSL client to use digital certificates to authenticate SSL servers Use undo server verify ...

Page 670: ...ession cache timeout in the range of 1 to 4294967295 seconds Usage guidelines The SSL server caches SSL sessions to reuse negotiated session parameters to simplify SSL handshake Use this command to limit the maximum number and timeout time for cached sessions When the number of cached sessions reaches the maximum SSL does not cache new sessions When the timeout timer for a cached session expires S...

Page 671: ...ct only after it is associated with an application such as DDNS Examples Create an SSL client policy named policy1 and enter its view Sysname system view Sysname ssl client policy policy1 Sysname ssl client policy policy1 Related commands display ssl client policy ssl renegotiation disable Use ssl renegotiation disable to disable SSL session renegotiation Use undo ssl renegotiation disable to rest...

Page 672: ...redefined user roles network admin Parameters policy name Specifies a name for the SSL server policy a case insensitive string of 1 to 31 characters Usage guidelines This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits An SSL server policy takes effect only after it is associated with an application such as HTTPS Examp...

Page 673: ... 3 0 As a best practice upgrade the peer device to support TLS 1 0 to improve security Examples Disable SSL 3 0 on the device Sysname system view Sysname ssl version ssl3 0 disable version Use version to specify an SSL protocol version for an SSL client policy Use undo version to restore the default Syntax In non FIPS mode version ssl3 0 tls1 0 undo version In FIPS mode version tls1 0 undo version...

Page 674: ...ses TLS 1 0 to connect to the SSL server If SSL 3 0 is specified the client uses SSL 3 0 to connect to the SSL server whether you disable SSL 3 0 or not As a best practice to enhance system security disable SSL 3 0 on the device and specify TLS 1 0 for an SSL client policy Examples Set the SSL protocol version to TLS 1 0 for SSL client policy policy1 Sysname system view Sysname ssl client policy p...

Page 675: ... view Predefined user roles network admin Parameters aspf policy number Specifies an ASPF policy number The value range for this argument is 1 to 256 inbound Applies the ASPF policy to incoming packets outbound Applies the ASPF policy to outgoing packets Usage guidelines To inspect the traffic through an interface you must apply a configured ASPF policy to that interface Make sure a connection ini...

Page 676: ...ocols but it does not perform ICMP error message check or the TCP SYN packet check The predefined ASPF policy cannot be modified To change the ASPF policy application define an ASPF policy and apply it to the zone pair If you execute this command multiple times the most recent configuration takes effect Examples Apply an ASPF policy to a zone pair Sysname system view Sysname security zone name tru...

Page 677: ...ork and save bandwidth do not use this command However you must use this command when you use traceroute for ICMP error messages in this situaiton are required Examples Enable ICMP error message sending for packet dropping by security policies applied to zone pairs Sysname system view Sysname aspf icmp error reply aspf policy Use aspf policy to create an ASPF policy and enter its view or enter the...

Page 678: ...tion layer protocol gtp Specifies GPRS Tunneling Protocol GTP an application layer protocol h323 Specifies H 323 protocol stack application layer protocols http Specifies HTTP an application layer protocol ils Specifies Internet Locator Service ILS an application layer protocol mgcp Specifies Media Gateway Control Protocol MGCP an application layer protocol nbt Specifies NetBIOS over TCP IP NBT an...

Page 679: ...er protocols include TCP UDP UDP Lite SCTP Raw IP ICMP ICMPv6 and DCCP This command configures ASPF inspection for application protocols ASPF inspection supports protocol status validity check for application protocols of DNS FTP H323 HTTP SCCP SIP and SMTP The device deals with packets with invalid protocol status depending on the actions you have specified To configure protocol status validity c...

Page 680: ...ck is enabled TCP SYN packet check Whether TCP SYN check is enabled Inspected protocol Protocols to be inspected by ASPF Action Actions on the detected illegal packets Drop Drops illegal packets None Allows illegal packets to pass If the protocol does not support the action configuration this field displays a hyphen Interface configuration Interfaces where ASPF policy is applied Inbound policy Inb...

Page 681: ...d commands aspf apply policy aspf policy display aspf policy Use display aspf policy to display the configuration of an ASPF policy Syntax display aspf policy aspf policy number default Views Any view Predefined user roles network admin network operator Parameters aspf policy number Specifies the number of an ASPF policy The value range for this argument is 1 to 256 default Specifies the predefine...

Page 682: ...standalone mode centralized devices in IRF mode display aspf session ipv4 ipv6 slot slot number verbose Distributed devices in IRF mode display aspf session ipv4 ipv6 chassis chassis number slot slot number verbose Views Any view Predefined user roles network admin network operator Parameters ipv4 Displays IPv4 ASPF sessions ipv6 Displays IPv6 ASPF sessions slot slot number Specifies a card by its...

Page 683: ...Protocol TCP 6 Inbound interface GigabitEthernet1 0 1 Source security zone SrcZone Initiator Source IP port 192 168 1 18 1792 Destination IP port 192 168 1 55 2048 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol ICMP 1 Inbound interface GigabitEthernet1 0 1 Source security zone SrcZone Total sessions found 2 Distributed devices in standalone mode centralized devices in IRF mode Display...

Page 684: ...ce security zone SrcZone Total sessions found 2 Centralized devices in standalone mode Display detailed information about IPv4 ASPF sessions Sysname display aspf session ipv4 verbose Initiator Source IP port 192 168 1 18 1877 Destination IP port 192 168 1 55 22 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol TCP 6 Inbound interface GigabitEthernet1 0 1 Source security zone SrcZone Resp...

Page 685: ...s Total sessions found 2 Distributed devices in standalone mode centralized devices in IRF mode Display detailed information about IPv4 ASPF sessions Sysname display aspf session ipv4 verbose Slot 1 Initiator Source IP port 192 168 1 18 1877 Destination IP port 192 168 1 55 22 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol TCP 6 Inbound interface GigabitEthernet1 0 1 Source security z...

Page 686: ...or 0 packets 0 bytes Total sessions found 2 Distributed devices in IRF mode Display detailed information about IPv4 ASPF sessions Sysname display aspf session ipv4 verbose Slot 1 in chassis 1 Initiator Source IP port 192 168 1 18 1877 Destination IP port 192 168 1 55 22 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol TCP 6 Inbound interface GigabitEthernet1 0 1 Source security zone Src...

Page 687: ... Session information from responder to initiator Source IP port Source IP address and port number Destination IP port Destination IP address and port number DS Lite tunnel peer IP address of the DS Lite tunnel peer If the session is not tunneled by DS Lite this field displays a hyphen VPN instance VLAN ID Inline ID VPN instance MPLS L3VPN instance where the session is initiated VLAN ID VLAN to whi...

Page 688: ...r drop Use icmp error drop to enable ICMP error message check and drop faked messages Use undo icmp error drop to disable ICMP error message check Syntax icmp error drop undo icmp error drop Default ICMP error message check is disabled Views ASPF policy view Predefined user roles network admin Usage guidelines An ICMP error message carries information about the corresponding connection ICMP error ...

Page 689: ...umber Specifies an IRF member device by its member ID If you do not specify a member device this command clears ASPF session statistics for all member devices Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot numbe...

Page 690: ...ted up it can receive a non SYN packet of an existing TCP connection for the first time If you do not want to interrupt the existing TCP connection you can disable the TCP SYN check Then the router allows the non SYN packet that is the first packet to establish a TCP connection to pass After the network topology becomes steady you can enable TCP SYN check again Examples Enable TCP SYN check for AS...

Page 691: ... group Use undo app group to delete the specified application group Syntax app group group name undo app group group name Default No application groups exist Views System view Predefined user roles network admin Parameters group name Specifies the application group name a case insensitive string of 1 to 63 characters Names invalid and other are not allowed Usage guidelines You can create a maximum...

Page 692: ...erfaces If no direction is specified application statistics is enabled in both the inbound and outbound directions When this feature is enabled the device separately counts the number of packets or bytes that the interface has received or sent for each application protocol It also calculates the transmission rates of the interface for these protocols To display application statistics use the displ...

Page 693: ...fined user roles network admin Usage guidelines Use this command to update the APR signature database if the device can access the signature database services at the Hewlett Packard Enterprise website Examples Enable automatic update for the APR signature database and enter auto update configuration view Sysname system view Sysname apr signature auto update Sysname apr autoupdate Related commands ...

Page 694: ...ck the APR signature database to the last version Usage guidelines You can use this command if you find that high error rate or abnormality occurs when the device uses the current APR signature database for application recognition Each time a rollback operation is performed the device backs up the current version of the APR signature database If you repeat the apr signature rollback last command m...

Page 695: ...t be stored on the active MPU Distributed devices in IRF mode To ensure a successful update the APR signature file must be stored on the global active MPU The following table describes the formats of the file path argument for different update scenarios Update scenario Format of file path Remarks The update file is stored in the current working directory filename To display the current working dir...

Page 696: ... each other For information about DNS see Layer 3 IP Services Configuration Guide Examples Manually update the APR signature database by using an APR signature file stored on a TFTP server Sysname system view Sysname apr signature update tftp 192 168 0 1 apr 1 0 2 en dat Manually update the APR signature database by using an APR signature file stored on an FTP server Sysname system view Sysname ap...

Page 697: ...t groups to the current group Examples Copy application protocols in group bcd to group abc Sysname system view Sysname app group abc Sysname app group abc copy app group bcd Related commands app group include application description application group view Use description to configure a description for an application group Use undo description to restore the default Syntax description text undo de...

Page 698: ... Views NBAR rule view Predefined user roles network admin Parameters text Specifies a description a case sensitive string of 1 to 256 characters If the string includes spaces use a pair of quotation marks to enclose all characters Usage guidelines Configure descriptions for different user defined NBAR rules for identification and management purposes Examples Configure a description for user define...

Page 699: ...this command multiple times for the same NBAR rule the most recent configuration takes effect The ipv6 ipv6 address option is not supported in the current software version If you specify this option the command does not take effect Examples Configure user defined NBAR rule abcd to match packets destined for the IPv4 subnet 192 168 1 0 24 Sysname system view Sysname nbar application abcd protocol h...

Page 700: ...e disable to disable a user defined NBAR rule Use undo disable to restore the default Syntax disable undo disable Default A user defined NBAR rule is enabled Views NBAR rule view Predefined user roles network admin Usage guidelines Use this command to disable a user defined NBAR rule if the following conditions exist The NBAR rule will not be used in the foreseeable future You do not want to delet...

Page 701: ...0x00800002 er User defined 0x00800001 hbc User defined 0x00800003 Display information about application group er Sysname display app group name er Group English name er Group Chinese name er Group ID 0x00800001 Type User defined Application count 2 Include application list Application name Type App ID 114Travel Pre defined 0x0000542c banc User defined 0x00800001 Table 94 Command output Field Descr...

Page 702: ...ion protocols Usage guidelines If you do not specify any parameters this command displays information about all application protocols Examples Display information about all predefined application protocols Sysname display application pre defined Pre defined count 817 Application name Type App ID Tunnel Encrypted DetectLen 12530WAP_Application_We Pre defined 0x000003ac No No 0 b_HTTP 12580_Applicat...

Page 703: ...en 12530WAP_Application_We Pre defined 0x000003ac No No 0 b_HTTP 12580_Application_HTTP Pre defined 0x00000312 No No 0 126_Web_Email_Download_ Pre defined 0x000002b7 No No 0 HTTP 126_Web_Email_Login_HTT Pre defined 0x000002b3 No No 0 P 126_Web_Email_Read_Emai Pre defined 0x000002b4 No No 0 l_HTTP 126_Web_Email_Receive_E Pre defined 0x000002b6 No No 0 mail_HTTP 126_Web_Email_Send_Emai Pre defined 0...

Page 704: ...o 0 More Display information about application protocol Telnet Sysname display application name telnet Application English Name telnet Application Chinese Name telnet Application ID 0x0000000e Tunnel No Encrypted No Enabled Yes PreDetectLen 0 UsrDetectLen 0 Performance 30 Fidelity 10 Priority 40 Popularity 20 ManufacturerID 4294967295 Flow Behavior 4294967295 Table 95 Command output Field Descript...

Page 705: ...on recognition on the device performance The value range is 0 to 100 A larger value represents a bigger impact Fidelity Reliability of the application recognition The value range is 0 to 100 A larger value represents a higher reliability Priority Priority of the application The value range is 0 to 100 A larger value represents a higher priority If multiple application protocols are recognized out ...

Page 706: ...sis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card This option is available only for global interfaces such as VLAN and tunnel interface Distributed devices in IRF mode name application name Specifies an application protocol by its name a c...

Page 707: ...4 app2 IN 2195 18560000 300 654222 OUT 21986666666 655555555123123101 55551 5454125111 APP3 IN 2195 17560000 300 45161 OUT 21986666666 5555555551231231 55551 5454125111 Display application statistics in the inbound direction of GigabitEthernet 1 0 1 Sysname display application statistics interface gigabitethernet 1 0 1 direction inbound Interface GigabitEthernet1 0 1 Application In Out Packets Byt...

Page 708: ...es received or sent by the interface PPS Packets received or sent per second BPS Bytes received or sent per second Related commands app group application statistics enable display application statistics top Use display application statistics top to display statistics for application protocols on an interface in descending order based on the specified criteria Syntax Centralized devices in standalo...

Page 709: ...d tunnel interface Distributed devices in IRF mode Usage guidelines This command displays application statistics only after the application statistics feature is enabled on the specified interface Disabling the application statistics feature on the interface deletes the existing statistics The system uses the sum of inbound and outbound statistics to rank the application protocols If the sum stati...

Page 710: ...5 17560000 300 45161 OUT 21986666666 5555555551231231 55551 5454125111 Display the top three application protocols that have received and sent the most bytes per second on GigabitEthernet 1 0 1 Sysname display application statistics top 3 bps interface gigabitethernet 1 0 1 Interface GigabitEthernet1 0 1 Application In Out Packets Bytes PPS BPS appaaaaasg IN 190023111111111111 252334402111111111 2...

Page 711: ...n Type SigVersion ReleaseTime Size Current 1 0 301 Thu Dec 18 00 59 55 2014 87104 Last Factory 1 0 301 Thu Dec 18 00 59 55 2014 87104 Table 98 Command output Field Description Type Version type of the APR signature database Current Last Factory SigVersion Version of the APR signature database ReleaseTime Release time of the APR signature database Size Size of the APR signature database in bytes di...

Page 712: ... display port mapping user defined to display information about the user defined port mappings Syntax display port mapping user defined application application name port port number Views Any view Predefined user roles network admin network operator Parameters application application name Specifies an application protocol by its name a case insensitive string of 1 to 63 characters The names invali...

Page 713: ...match based on the destination IPv6 addresses of the packet IPv4 subnet A match based on the destination IPv4 subnet of the packet IPv6 subnet A match based on the destination IPv6 subnet of the packet IPv4 ACL A match based on the IPv4 ACL IPv6 ACL A match based on the IPv6 ACL Match Condition Match conditions For the match type of IPv4 host or IPv6 host the destination IP addresses of the packet...

Page 714: ...o the application group the system first creates the protocol before adding it to the application group Whether the device can recognize the packets of this protocol depends on your configuration Examples Add HTTP and FTP to group abc Sysname system view Sysname app group abc Sysname app group abc include application http Sysname app group abc include application ftp Related commands app group cop...

Page 715: ...er Signatures The logical relation of these signatures is OR which indicates that a packet that matches any signature matches the NBAR rule You can specify more than one match criterion for the rule To match the NBAR rule packets must match all the match criteria in the rule Examples Create a user defined NBAR rule named abc and apply the rule to HTTP packets Sysname system view Sysname nbar appli...

Page 716: ... name undo port mapping application application name port port number protocol protocol name Default An application protocol is mapped to a well known port Views System view Predefined user roles network admin Parameters application application name Specifies an application protocol by its name a case insensitive string of 1 to 63 characters The names invalid and other are not allowed port port nu...

Page 717: ... number undo port mapping application application name port port number protocol protocol name acl ipv6 acl number Default An application protocol is mapped to a well known port Views System view Predefined user roles network admin Parameters application application name Specifies an application protocol by its name a case insensitive string of 1 to 63 characters The names invalid and other are no...

Page 718: ...t port mapping Syntax port mapping application application name port port number protocol protocol name host ip ipv6 start ip address end ip address vpn instance vpn instance name undo port mapping application application name port port number protocol protocol name host ip ipv6 start ip address end ip address vpn instance vpn instance name Default An application protocol is mapped to a well known...

Page 719: ...nd IP address or IP address ranges but with different application protocols the most recent configuration takes effect A mapping with the transport layer protocol specified has a higher priority than one without it Examples Create a mapping of port 3456 to FTP for the IPv4 packets sent to the host at 1 1 1 1 to 1 1 1 10 Sysname system view Sysname port mapping application ftp port 3456 host ip 1 1...

Page 720: ...net based host port mappings to recognize packets A packet is recognized as an application protocol packet when it matches all the following conditions in a mapping The packet is destined for the specified IP subnet in the mapping The packet s destination port matches the specified port in the mapping The transport layer protocol that encapsulates the packet matches the specified transport layer p...

Page 721: ... Sysname reset application statistics Related commands application statistics enable display application statistics service port Use service port to specify a port number or a port range as a match criterion in a user defined NBAR rule Use undo service port to restore the default Syntax service port port num range start port end port undo service port Default A user defined NBAR rule matches packe...

Page 722: ...o signatures exist for a user defined NBAR rule Views NBAR rule view Predefined user roles network admin Parameters signature id Specifies the signature ID in the range of 1 to 65535 If you do not specify this argument when creating a signature the system automatically assigns the signature a signature ID and records the signature ID The increment of automatically assigned signature IDs is 5 A new...

Page 723: ...gnature 1 which defines match string abcdegf Sysname system view Sysname nbar application abcd protocol http Sysname nbar application abcd signature 1 string abcdefg Related commands nbar application source Use source to specify a source IP address or subnet as a match criterion in a user defined NBAR rule Use undo source to restore the default Syntax source ip ipv4 address mask length ipv6 ipv6 a...

Page 724: ...le Default The device automatically updates the APR signature database between 01 01 00 to 05 01 00 every day Views Auto update configuration view Predefined user roles network admin Parameters daily Specifies the daily update interval weekly Specifies the weekly update interval You can specify one day in a week for the update mon Specifies Monday tue Specifies Tuesday wed Specifies Wednesday thu ...

Page 725: ... 00 00 to 23 20 00 Examples Configure the device to automatically update the APR signature database at 23 10 00 every Monday with a tolerance time of 10 minutes Sysname system view Sysname apr signature auto update Sysname apr autoupdate update schedule weekly mon start time 23 10 00 tingle 10 Related commands apr signature auto update ...

Page 726: ...cation to display the aging time for sessions of different application layer protocols or applications Syntax display session aging time application Views Any view Predefined user roles network admin network operator Examples Display the aging time for sessions of different application layer protocols and applications Sysname display session aging time application Application Aging time s bootpc 1...

Page 727: ... in seconds others 1200 All application layer protocols and applications with the aging time of 1200 seconds is displayed as others Related commands session aging time application display session aging time state Use display session aging time stat to display the aging time for sessions in different protocol states Syntax display session aging time state Views Any view Predefined user roles networ...

Page 728: ...te Protocol state Aging Time s Aging time in seconds Related commands session aging time state display session relation table Use display session relation table to display relation entries Syntax Centralized devices in standalone mode display session relation table ipv4 ipv6 Distributed devices in standalone mode centralized devices in IRF mode display session relation table ipv4 ipv6 slot slot nu...

Page 729: ... in IRF mode Examples Centralized devices in standalone mode Display all IPv4 relation entries Sysname display session relation table ipv4 Source IP port 192 168 1 100 Destination IP port 192 168 2 100 99 DS Lite tunnel peer VPN instance VLAN ID Inline ID 1 Protocol TCP 6 TTL 1234s App FTP DATA Source IP port Destination IP port 192 168 2 200 1212 DS Lite tunnel peer VPN instance VLAN ID Inline ID...

Page 730: ...ys a hyphen For an IPv6 relation entry the source port number is not displayed Destination IP port Destination IP address and port number of the session DS Lite tunnel peer Peer tunnel interface address of the DS Lite tunnel to which the session belongs If no peer tunnel interface address is specified a hyphen is displayed VPN instance VLAN ID Inline ID MPLS L3VPN instance to which the relation en...

Page 731: ...y its number The source port argument specifies the source port of an IPv4 unicast session from the initiator to the responder The value range for the source port argument is 0 to 65535 destination port destination port Specifies a destination port by its number The destination port argument specifies the destination port of an IPv6 unicast session from the initiator to the responder The value ran...

Page 732: ...ions Number of ICMPv6 unicast sessions and number of ICMPv6 unicast sessions in different states UDP Lite sessions Number of UDP Lite unicast sessions and number of UDP Lite unicast sessions in different states SCTP sessions Number of SCTP unicast sessions and number of SCTP unicast sessions in different states DCCP sessions Number of DCCP unicast sessions and number of DCCP unicast sessions in di...

Page 733: ...urce port argument is 0 to 65535 destination port destination port Specifies a destination port by its number The destination port argument specifies the destination port of an IPv6 unicast session from the initiator to the responder The value range for the destination port argument is 0 to 65535 slot slot number Specifies a card by its slot number If you do not specify a card this command display...

Page 734: ...of ICMPv6 unicast sessions in different states UDP Lite sessions Number of UDP Lite unicast sessions and number of UDP Lite unicast sessions in different states SCTP sessions Number of SCTP unicast sessions and number of SCTP unicast sessions in different states DCCP sessions Number of DCCP unicast sessions and number of DCCP unicast sessions in different states RAWIP sessions Number of Raw IP uni...

Page 735: ... in IRF mode Examples Centralized devices in standalone mode Display information about multicast session statistics Sysname display session statistics multicast Slot 0 Current sessions 0 Session establishment rate 0 s Received 0 packets 0 bytes Sent 0 packets 0 bytes Distributed devices in standalone mode centralized devices in IRF mode Display information about multicast session statistics Sysnam...

Page 736: ...y session statistics summary chassis chassis number slot slot number Views Any view Predefined user roles network admin network operator Parameters slot slot number Specifies a card by its slot number If you do not specify a card this command displays summary information about unicast session statistics for all cards Distributed devices in standalone mode slot slot number Specifies an IRF member d...

Page 737: ...distributed devices in standalone mode IRF member ID This field is available for centralized devices in IRF mode Sessions Total number of unicast sessions TCP Number of TCP unicast sessions UDP Number of UDP unicast sessions Rate Rate of unicast session creation TCP rate Rate of TCP unicast session creation UDP rate Rate of UDP unicast session creation display session table ipv4 Use display sessio...

Page 738: ...start source IPv4 address The end source ip argument specifies the end source IPv4 address destination ip start destination ip end destination ip Specifies a destination IPv4 address or IPv4 address range for a unicast session from the initiator to the responder The start destination ip argument specifies the start destination IPv4 address The end destination ip argument specifies the end destinat...

Page 739: ...mode Display brief information about all IPv4 unicast session entries Sysname display session table ipv4 Slot 1 Initiator Source IP port 192 168 1 18 1877 Destination IP port 192 168 1 55 22 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol TCP 6 Inbound interface GigabitEthernet1 0 1 Source security zone Trust Initiator Source IP port 192 168 1 18 1792 Destination IP port 192 168 1 55 2...

Page 740: ...Source IP port 192 168 1 18 1792 Destination IP port 192 168 1 55 2048 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol ICMP 1 Inbound interface GigabitEthernet1 0 1 Source security zone Trust Responder Source IP port 192 168 1 55 1792 Destination IP port 192 168 1 18 0 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol ICMP 1 Inbound interface GigabitEthernet1 0 2 Source secur...

Page 741: ... 36 TTL 28s Initiator Responder 1 packets 48 bytes Responder Initiator 0 packets 0 bytes Initiator Source IP port 192 168 1 18 1792 Destination IP port 192 168 1 55 2048 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol ICMP 1 Inbound interface GigabitEthernet1 0 1 Source security zone Trust Responder Source IP port 192 168 1 55 1792 Destination IP port 192 168 1 18 0 DS Lite tunnel peer...

Page 742: ...interface does not belong to any security zone this field displays a hyphen State Unicast session state Application Application layer protocol FTP or DNS If it is an unknown protocol identified by an unknown port this field displays OTHER Start time Unicast session establishment time TTL Remaining lifetime of the unicast session in seconds Initiator Responder Number of packets and bytes from the i...

Page 743: ...ip start source ip end source ip Specifies a source IPv6 address or IPv6 address range for a unicast session from the initiator to the responder The start source ip argument specifies the start source IPv6 address The end source ip argument specifies the end source IPv6 address destination ip start destination ip end destination ip Specifies a destination IPv6 address or IPv6 address range for a u...

Page 744: ... Source IP port 2011 2 58473 Destination IP port 2011 8 32768 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol IPV6 ICMP 58 Inbound interface GigabitEthernet1 0 1 Source security zone Trust Total sessions found 1 Centralized devices in standalone mode Display detailed information about all IPv6 unicast session entries Sysname display session table ipv6 verbose Slot 0 Initiator Source IP...

Page 745: ...stance VLAN ID Inline ID Protocol IPV6 ICMP 58 Inbound interface GigabitEthernet1 0 2 Source security zone Local State ICMPV6_REQUEST Application OTHER Start time 2011 07 29 19 23 41 TTL 55s Initiator Responder 1 packets 104 bytes Responder Initiator 0 packets 0 bytes Total sessions found 1 Table 109 Command output Field Description Initiator Information about the unicast session from the initiato...

Page 746: ...isplay session table multicast ipv4 to display information about IPv4 multicast session entries that match specific criteria Syntax Centralized devices in standalone mode display session table multicast ipv4 source ip start source ip end source ip destination ip start destination ip end destination ip protocol dccp icmp raw ip sctp tcp udp udp lite source port source port destination port destinat...

Page 747: ...stination ip argument specifies the start destination IPv4 address The end destination ip argument specifies the end destination IPv4 address protocol dccp icmp raw ip sctp tcp udp udp lite Specifies an IPv4 transport layer protocol including DCCP ICMP RawIP SCTP TCP UDP and UDP Lite source port source port Specifies a source port by its number The source port argument specifies the source port of...

Page 748: ...terface list GigabitEthernet1 0 2 GigabitEthernet1 0 3 Total sessions found 3 Centralized devices in standalone mode Display detailed information about all IPv4 multicast session entries Sysname display session table multicast ipv4 verbose Slot 0 Inbound initiator Source IP port 3 3 3 4 1609 Destination IP port 232 0 0 1 1025 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Inbou...

Page 749: ... 3 3 4 1609 Destination IP port 232 0 0 1 1025 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Outbound responder Source IP port 232 0 0 1 1025 Destination IP port 3 3 3 4 1609 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Outbound interface GigabitEthernet1 0 3 Destination security zone bbb State UDP_OPEN Application OTHER Start time 2014 03 03 15 59 22 TTL...

Page 750: ...ytes Outbound initiator Source IP port 3 3 3 4 1609 Destination IP port 232 0 0 1 1025 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Outbound responder Source IP port 232 0 0 1 1025 Destination IP port 3 3 3 4 1609 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Outbound interface GigabitEthernet1 0 2 Destination security zone aaa State UDP_OPEN Application ...

Page 751: ...ticast session from the responder to the initiator on the outbound interface DS Lite tunnel peer Address of the DS Lite tunnel peer If the multicast session is not tunneled by DS Lite this field displays a hyphen VPN instance VLAN ID Inline ID MPLS L3VPN instance to which the multicast session belongs VLAN and inline to which the multicast session belongs during Layer 2 forwarding If a parameter i...

Page 752: ...ce port destination port destination port verbose Distributed devices in standalone mode centralized devices in IRF mode display session table multicast ipv6 slot slot number source ip start source ip end source ip destination ip start destination ip end destination ip protocol dccp icmpv6 raw ip sctp tcp udp udp lite source port source port destination port destination port verbose Distributed de...

Page 753: ...e value range for the source port argument is 0 to 65535 destination port destination port Specifies a destination port by its number The destination port argument specifies the destination port of a multicast session from the initiator to the responder The value range for the destination port argument is 0 to 65535 verbose Displays detailed information about IPv6 multicast session entries If you ...

Page 754: ...025 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Inbound responder Source IP port FF0E 1 1025 Destination IP port 3 4 1617 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Inbound interface GigabitEthernet1 0 1 Source security zone Trust State UDP_OPEN Application OTHER Start time 2014 03 03 16 10 58 TTL 23s Initiator Responder 5 packets 520 bytes Outbound i...

Page 755: ...ty zone ccc State UDP_OPEN Application OTHER Start time 2014 03 03 16 10 58 TTL 23s Initiator Responder 5 packets 520 bytes Total sessions found 3 Distributed devices in standalone mode centralized devices in IRF mode Display detailed information about all IPv6 multicast session entries Sysname display session table multicast ipv6 verbose Slot 0 Total sessions found 0 Slot 1 Total sessions found 0...

Page 756: ...security zone bbb State UDP_OPEN Application OTHER Start time 2014 03 03 16 10 58 TTL 23s Initiator Responder 5 packets 520 bytes Outbound initiator Source IP port 3 4 1617 Destination IP port FF0E 1 1025 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Outbound responder Source IP port FF0E 1 1025 Destination IP port 3 4 1617 DS Lite tunnel peer VPN instance VLAN ID Inline ID Pr...

Page 757: ...gabitEthernet1 0 1 Source security zone Trust State UDP_OPEN Application OTHER Start time 2014 03 03 16 10 58 TTL 23s Initiator Responder 5 packets 520 bytes Outbound initiator Source IP port 3 4 1617 Destination IP port FF0E 1 1025 DS Lite tunnel peer VPN instance VLAN ID Inline ID Protocol UDP 17 Outbound responder Source IP port FF0E 1 1025 Destination IP port 3 4 1617 DS Lite tunnel peer VPN i...

Page 758: ...ast session from the responder to the initiator on the inbound interface Outbound initiator Information about the multicast session from the initiator to the responder on the outbound interface Outbound responder Information about the multicast session from the responder to the initiator on the outbound interface DS Lite tunnel peer Address of the DS Lite tunnel peer If the multicast session is no...

Page 759: ... hyphen Initiator Responder Number of packets and bytes from the initiator to the responder Total sessions found Total number of found multicast session entries reset session relation table Use reset session relation table to clear relation entries Syntax Centralized devices in standalone mode reset session relation table ipv4 ipv6 Distributed devices in standalone mode centralized devices in IRF ...

Page 760: ...on statistics slot slot number Distributed devices in IRF mode reset session statistics chassis chassis number slot slot number Views User view Predefined user roles network admin Parameters slot slot number Specifies a card by its slot number If you do not specify a card this command clears unicast session statistics for all cards Distributed devices in standalone mode slot slot number Specifies ...

Page 761: ... device this command clears multicast session statistics for all member devices Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on a member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command clears multicast session sta...

Page 762: ...ble ipv4 to clear information about IPv4 unicast session entries that match specific criteria Syntax Centralized devices in standalone mode reset session table ipv4 source ip source ip destination ip destination ip protocol dccp icmp raw ip sctp tcp udp udp lite source port source port destination port destination port vpn instance vpn instance name Distributed devices in standalone mode centraliz...

Page 763: ...e destination port argument specifies the destination port of a unicast session from the initiator to the responder The value range for the destination port argument is 0 to 65535 vpn instance vpn instance name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you want to clear IPv4 unicast session entries on the public network do not specify this option...

Page 764: ...gument specifies the destination IPv6 address of a unicast session from the initiator to the responder protocol dccp icmpv6 raw ip sctp tcp udp udp lite Specifies an IPv6 transport layer protocol including DCCP ICMPv6 Raw IP SCTP TCP UDP and UDP Lite source port source port Specifies a source port by its number The source port argument specifies the source port of a unicast session from the initia...

Page 765: ...and clears multicast session entries for all cards Distributed devices in IRF mode Examples Clear all IPv4 and IPv6 multicast session entries Sysname reset session table multicast Related commands display session table multicast ipv4 display session table multicast ipv6 reset session table multicast ipv4 Use reset session table multicast ipv4 to clear information about IPv4 multicast session entri...

Page 766: ...p raw ip sctp tcp udp udp lite Specifies an IPv4 transport layer protocol including DCCP ICMP RawIP SCTP TCP UDP and UDP Lite source port source port Specifies a source port by its number The source port argument specifies the source port of a multicast session from the initiator to the responder The value range for the source port argument is 0 to 65535 destination port destination port Specifies...

Page 767: ... number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this command clears information for all cards Distributed devices in IRF mode source ip source ip Specifies a source IPv6 address The source ip argument specifies the source IPv6 address of a multicast session from the initiator to the resp...

Page 768: ...lications Syntax session aging time application application name time value undo session aging time application application name Default The aging time is 1200 seconds for sessions of application layer protocols or applications except for the following sessions BOOTPC sessions 120 seconds BOOTPS sessions 120 seconds DNS sessions 1 second FTP sessions 3600 seconds FTP DATA sessions 240 seconds GTP ...

Page 769: ... seconds The value range 1 to 100000 Usage guidelines This command sets the aging time for stable sessions of the specified application layer protocol or applications For TCP sessions the stable state is ESTABLISHED For UDP sessions the stable state is READY For sessions of application layer protocols or applications that are not supported by this command the aging time is set by the session aging...

Page 770: ...me wait udp open udp ready time value undo session aging time state fin icmp reply icmp request rawip open rawip ready syn tcp close tcp est tcp time wait udp open udp ready Default The aging time for sessions in different protocol states is as follows FIN_WAIT 30 seconds ICMP REPLY 30 seconds ICMP REQUEST 60 seconds RAWIP OPEN 30 seconds RAWIP READY 60 seconds TCP SYN SENT and SYN RCV 30 seconds ...

Page 771: ... commands display session aging time state session aging time application session persistent acl session log bytes active Use session log bytes active to set the byte based threshold for traffic based logging Use undo session log bytes active to restore the default Syntax session log bytes active bytes value undo session log bytes active Default The device does not output session logs based on the...

Page 772: ...of 2000 to 3999 inbound Specifies the inbound direction outbound Specifies the outbound direction Usage guidelines If you do not specify an ACL this command enables session logging for all IPv4 or IPv6 sessions on the interface If you do not specify the inbound or the outbound keyword this command enables session logging on both directions Up to one IPv4 ACL and one IPv6 ACL can be applied to each...

Page 773: ...ace gigabitethernet 1 0 3 Sysname GigabitEthernet1 0 3 session log enable ipv6 acl 2050 outbound Related commands session log bytes active session log flow begin session log flow end session log packets active session log time active session log flow begin Use session log flow begin to enable logging for session creation Use undo session log flow begin to disable logging for session creation Synta...

Page 774: ...and logging for session deletion are enabled Examples Enable logging for session deletion Sysname system view Sysname session log flow end Related commands session log enable session log packets active Use session log packets active to set the packet based threshold for traffic based logging Use undo session log packets active to restore the default Syntax session log packets active packets value ...

Page 775: ...he time based session logging Use undo session log time active to restore the default Syntax session log time active time value undo session log time active Default The device does not output session logs Views System view Predefined user roles network admin Parameters time value Specifies the interval in minutes The value range for the time value argument is 10 to 120 and the value must be intege...

Page 776: ...ABLISHED state For a TCP session in ESTABLISHED state the priority of the aging time is as follows Aging time for persistent sessions Aging time for sessions of application layer protocols Aging time for sessions in different protocol states A never age out session is not removed until the device receives a connection close request from the initiator or responder or you manually clear the session ...

Page 777: ...do not configure this command on symmetric path networks Examples Set the mode of session state machine to loose Sysname system view Sysname session state machine mode loose session statistics enable Use session statistics enable to enable session statistics collection Use undo session statistics enable to disable session statistics collection Syntax session statistics enable undo session statisti...

Page 778: ...760 Examples Enable session statistics collection Sysname system view Sysname session statistics enable Related commands display session statistics display session table ...

Page 779: ...cy policy policy id undo connection limit ipv6 policy policy policy id Default No connection limit policies exist Views System view Predefined user roles network admin Parameters ipv6 policy Specifies an IPv6 connection limit policy policy Specifies an IPv4 connection limit policy policy id Specifies the ID of a connection limit policy An IPv4 or IPv6 connection limit policy has its own number The...

Page 780: ...value range for this argument is 1 to 32 Usage guidelines Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied to an interface A new IPv4 or IPv6 connection limit policy overwrites the old one Examples Apply IPv4 connection limit policy 1 to GigabitEthernet 2 0 1 Sysname system view Sysname interface gigabitethernet 2 0 1 Sysname GigabitEthernet2 0 1 connection...

Page 781: ...ne IPv6 connection limit policy can be applied globally A new IPv4 or IPv6 connection limit policy overwrites the old one Examples Apply IPv4 connection limit policy 1 globally Sysname system view Sysname connection limit apply global policy 1 Apply IPv6 connection limit policy 12 globally Sysname system view Sysname connection limit apply global ipv6 policy 12 Related commands connection limit li...

Page 782: ...imit policies Syntax display connection limit ipv6 policy policy policy id all Views Any view Predefined user roles network admin network operator Parameters ipv6 policy Specifies an IPv6 connection limit policy policy Specifies an IPv4 connection limit policy policy id Specifies a connection limit policy by its ID The value range for this argument is 1 to 32 all Specifies all connection limit pol...

Page 783: ...00 90 0 3000 10 Src Dst Port 50 45 0 3003 11 Src 200 200 0 3004 200 500000 498000 0 2002 Application list GigabitEthernet2 0 1 GigabitEthernet2 0 2 Vlan interface1 Tunnel0 Global Display information about all IPv6 connection limit policies Sysname display connection limit ipv6 policy all 2 policies in total Policy Rule Stat Type HiThres LoThres Rate ACL 3 1 Src Dst 1000 800 10 3010 2 Dst 500 450 0...

Page 784: ...tion IP and service combination Src Limits connections by source IP address Dst Limits connections by destination IP address Port Limits connections by service Dslite Limits connections by B4 device of a DS Lite tunnel Limits connections not by a specific IP address or service All connections that match the ACL used by the rule are limited HiThres Upper limit of the connections LoThres Lower limit...

Page 785: ...rd or specify a virtual interface such as a VLAN interface or tunnel interface Distributed devices in standalone mode slot slot number Specifies an IRF member device by its member ID This option is available only when you specify the global keyword or specify a virtual interface such as a VLAN interface and tunnel interface Centralized devices in IRF mode chassis chassis number slot slot number Sp...

Page 786: ...es Centralized devices in standalone mode Display statistics about all IPv6 connections that match the connection limit rule on GigabitEthernet 2 0 1 Sysname display connection limit ipv6 stat nodes interface gigabitethernet 2 0 1 Slot 2 Src IP address Any VPN instance vpn5 Dst IP address fe80 5ed9 98ff feb1 69b6 VPN instance abcdefghijklmnopqrstuvwxyzabcde Service tcp 12345 Limit rule ID 12345 AC...

Page 787: ...it Distributed devices in IRF mode Display statistics about IPv6 connections that match the connection limit rule on GigabitEthernet 1 2 0 2 Sysname display connection limit ipv6 stat nodes interface gigabitethernet 1 2 0 2 Slot 2 in chassis 1 Src IP address 5 1 VPN instance Vpn1 Dst IP address Any VPN instance Service All Limit rule ID 21 ACL 2988 Sessions threshold Hi Lo 2000 1500 Sessions count...

Page 788: ...known xx The cross signs xx indicates the protocol number For the ICMP protocol the protocol number is the decimal digits that are converted from the hexadecimal contents of the type and code fields Limit rule ID ID of the matched rule The ACL number of the rule is enclosed in parentheses Sessions threshold Hi Lo Upper and lower connection limits Sessions count Number of current connections Sessio...

Page 789: ...the global keyword or specify a virtual interface such as a VLAN interface or tunnel interface Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card This option is available only when you specify the...

Page 790: ...about IPv4 connections that match connection limit rules globally or on an interface Syntax Centralized devices in standalone mode display connection limit stat nodes global interface interface type interface number destination destination ip service port port number source source ip count display connection limit stat nodes global interface interface type interface number dslite peer b4 address c...

Page 791: ...nel The b4 address argument specifies the IPv6 address of the B4 device count Displays only the number of limit rule based statistics sets Detailed information about the specified IPv4 connections is not displayed If you do not specify this keyword the command displays detailed information about the specified IPv4 connections that match connection limit rules Usage guidelines The statistics for co...

Page 792: ...terface 2 Sysname display connection limit stat nodes interface vlan interface 2 Slot 2 Src IP address 100 100 100 100 VPN instance 0123456789012345678901234567890 Dst IP address 200 200 200 200 VPN instance abcdefghijklmnopqrstuvwxyzabcde DS Lite tunnel peer Service tcp 12345 Limit rule ID 12345 ACL 3001 Sessions threshold Hi Lo 1100000 980000 Sessions count 1050000 Sessions limit rate 0 New sess...

Page 793: ...l peer Service udp 333 Limit rule ID 19 ACL 3307 Sessions threshold Hi Lo 10000 9900 Sessions count 1001 Sessions limit rate 0 New session flag Permit Centralized devices in standalone mode Display the number of global limit rule based statistics sets Sysname display connection limit stat nodes global count Current limit statistic nodes count is 5 Distributed devices in standalone mode Display the...

Page 794: ...d lower connection limits Sessions count Number of current connections Sessions limit rate Maximum number of connections established per second New session flag Whether or not new connections can be created Permit New connections can be created Deny New connections cannot be created NOTE When the number of connections reaches the upper limit this field displays Permit although new connections are ...

Page 795: ... When user connections in a range or of a type exceed the upper connection limit new connections cannot be created As a best practice set the upper connection limit to a value greater than 32 to make sure the device can function correctly min amount Specifies the lower connection limit in the range of 1 to 4294967294 The lower connection limit cannot be greater than the upper connection limit New ...

Page 796: ...e 1 for IPv4 connection limit policy 1 1 Configure ACL 3000 Sysname system view Sysname acl advanced 3000 Sysname acl ipv4 adv 3000 rule permit ip source 192 168 0 0 0 0 0 255 Sysname acl ipv4 adv 3000 quit 2 Limit connections that match ACL 3000 by the source and destination IP addresses with the upper limit 2000 lower limit 1800 and establishment rate 10 per second Sysname connection limit polic...

Page 797: ...IRF member device by its member ID The slot number argument represents the ID of the IRF member device This option is available only when you specify the global keyword or specify a virtual interface such as a VLAN interface or tunnel interface Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the...

Page 798: ...bal slot 2 Distributed devices in IRF mode Clear the global connection limit statistics of the card in slot 2 on IRF member device 1 Sysname reset connection limit statistics global chassis 1 slot 2 Related commands display connection limit statistics ...

Page 799: ... IPv4 address object group Sysname system view Sysname object group ip address ipgroup Sysname obj grp ip ipgroup description This is an IPv4 object group display object group Use display object group to display information about object groups Syntax display object group ip ipv6 address service port default name object group name name object group name Views Any view Predefined user roles network ...

Page 800: ... 30 network range 1 1 1 1 1 2 40 network group object obj3 Port object group obj7 0 object in use Port object group obj8 3 objects out of use 0 port lt 20 10 port range 20 30 20 port group object obj7 Service object group obj5 0 object in use Service object group obj6 6 objects out of use 0 service 200 10 service tcp source lt 50 destination range 30 40 20 service udp source range 30 40 destinatio...

Page 801: ...is not used network IPv4 address object group view Use network to configure an IPv4 address object Use undo network to delete an IPv4 address object Syntax object id network host address ip address name host name subnet ip address mask length mask range ip address1 ip address2 group object object group name undo network host address ip address name host name subnet ip address mask length mask rang...

Page 802: ...object with an address range if the two addresses are in different subnets Configures the object with a subnet address if the two addresses are in the same subnet When you use the group object object group name option follow these guidelines The object group to be used must be an IPv4 address object group If the specified object group does not exist the system creates an IPv4 address object group ...

Page 803: ...an object ID in the range of 0 to 4294967294 If you do not configure an object ID the system automatically assigns the object a multiple of 10 next to the greatest ID being used For example if the greatest ID is 22 the system automatically assigns 30 host Configures an IPv6 address object with the host address or name address ipv6 address Specifies an IPv6 host address name host name Specifies a h...

Page 804: ... used by another group Examples Configure an IPv6 address object with the host address of 1 1 Sysname system view Sysname object group ipv6 address ipv6group Sysname obj grp ipv6 ipv6group network host address 1 1 Configure an IPv6 address object with the host name of pc3 Sysname system view Sysname object group ipv6 address ipv6group Sysname obj grp ipv6 ipv6group network host name pc3 Configure ...

Page 805: ...ults vary with the specified object group If the specified group does not exist the system executes the command without any system prompt If the specified group exists and the group type is the same as that in the command the system deletes the group If the specified group exists but the group type is different from that in the command the command fails If the specified object group is being used ...

Page 806: ...figures a port object with a port range The value range for the port1 and port2 arguments is 0 to 65535 group object object group name Specifies a port object group by its name a case insensitive string of 1 to 31 characters Usage guidelines This command fails if you use it to configure or change a port object to be identical with an existing object This command creates a port object if the specif...

Page 807: ... used by another group Examples Configure a port object with a port number of 100 Sysname system view Sysname object group port portgroup Sysname obj grp port portgroup port eq 100 Configure a port object with a port number smaller than 20 Sysname system view Sysname object group port portgroup Sysname obj grp port portgroup port lt 20 Configure a port object with a port number greater than 60000 ...

Page 808: ...o 65535 range port1 port2 Configures a service object with a port range The value range for the port1 and port2 arguments is 0 to 65535 icmp type Configures the ICMP message type in the range of 0 to 255 icmp code Configures the ICMP message code in the range of 0 to 255 icmpv6 type Configures the ICMPv6 message type in the range of 0 to 255 icmpv6 code Configures the ICMPv6 message code in the ra...

Page 809: ... the object Two object groups cannot use each other at the same time The system supports a maximum of five object group hierarchy layers For example if groups 1 2 3 and 4 use groups 2 3 4 and 5 respectively group 5 cannot use another group and group 1 cannot be used by another group Examples Configure a service object with a protocol number of 100 Sysname system view Sysname object group service s...

Page 810: ... admin Usage guidelines Insufficient hardware resources cause acceleration failures When the system has sufficient hardware resources acceleration can take effect again under either of the following conditions You change or add rules for the policy You use this command to enable rule matching acceleration again After you enable rule matching acceleration the following situations might occur Accele...

Page 811: ... policy Sysname system view Sysname object policy ip permit Sysname object policy ip permit description zone pair security office to library Related commands display object policy ip display object policy ipv6 display object policy accelerate Use display object policy accelerate to display acceleration information for object policies Syntax Centralized devices in standalone mode display object pol...

Page 812: ...mber slot slot number Specifies a card on an IRF member device The chassis number argument represents the IRF member ID The slot number argument represents the slot number of the card Distributed device in IRF mode Examples Display brief acceleration information for all IPv4 object policies Sysname display object policy accelerate summary ip Object policy ip a Object policy ip c Display detailed a...

Page 813: ...cy ip pass Name of the IPv4 object policy This is an IPv4 object policy for the zone pair security source office destination library Description of the IPv4 object policy Object policy accelerated Rule matching acceleration is enabled for the IPv4 object policy rule 5 pass source ip sourceip Statement of rule 5 The value of sourceip is the name of the source IPv4 address object group rule 5 commen...

Page 814: ...bject policy rule 5 pass source ip sourceipv6 Statement of rule 5 The value of sourceipv6 is the name of the source IPv6 address object group rule 5 comment This rule is used for source ip sourceipv6 Description of rule 5 display object policy statistics zone pair security Use display object policy statistics zone pair security to display statistics for the object policies applied to a zone pair S...

Page 815: ...eip1 is the name of the source IPv4 address object group Object policy apply ipv6 OfficeToLibraryIPv6 Name of the IPv6 object policy applied to the zone pair rule 0 pass source ip sourceip3 Statement of rule 0 The value of sourceip3 is the name of the source IPv6 address object group x packets y bytes The rule has matched x packets a total of y bytes This field is displayed only when the following...

Page 816: ... ipv6 drop Name of the IPv6 object policy applied to the zone pair move rule Use move rule to change the rule match order of a rule in an object policy Syntax move rule rule id before insert rule id Views Object policy view Parameters rule id Specifies a rule by its ID in the range of 0 to 65534 insert rule id Specifies the ID of the target rule before which a rule is inserted The target rule ID i...

Page 817: ... policy does not exist this command fails You can apply only one IPv4 object policy to each zone pair To apply a new IPv4 object policy to an instance remove the application of the existing IPv4 object policy Examples Configure an IPv4 object policy and apply it to a zone pair Sysname system view Sysname object policy ip permit Sysname object policy ip permit quit Sysname zone pair security source...

Page 818: ...re an IPv6 object policy and apply it to a zone pair Sysname system view Sysname object policy ipv6 permit Sysname object policy ipv6 permit quit Sysname zone pair security source office destination library Sysname zone pair security office library object policy apply ipv6 permit Related commands display object policy zone pair security object policy apply ip object policy ipv6 object policy ip Us...

Page 819: ...r its view or enter the view of an existing IPv6 object policy Use undo object policy ipv6 to delete an IPv6 object policy Syntax object policy ipv6 object policy name undo object policy ipv6 object policy name Default No IPv6 object policies exist Views System view Predefined user roles network admin Parameters object policy name Configures the IPv6 object policy name a case insensitive string of...

Page 820: ...e ip keyword nor the ipv6 keyword the system clears statistics for all object policies applied to the specified zone pairs Examples Clear statistics for all IPv4 object policies applied to the zone pair with source security zone office and destination security zone library Sysname reset object policy statistics zone pair security source office destination library ip Related commands display object...

Page 821: ...t group by its name a case insensitive string of 1 to 31 characters service any Specifies all service object groups vrf vrf name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you do not specify this option the command applies to packets of the public network application application name Specifies an application by its name a case insensitive string o...

Page 822: ...g time range time1 Configure a rule to apply DPI application profile profile1 to packets that match source IPv4 address object group sourceip1 Sysname system view Sysname object policy ip dpiproc Sysname object policy ip dpiproc rule inspect profile1 source ip sourceip1 logging Configure a rule to permit packets that match application aaa Sysname system view Sysname object policy ip dpiproc Sysnam...

Page 823: ... case insensitive string of 1 to 31 characters service any Specifies all service object groups vrf vrf name Specifies an MPLS L3VPN instance by its name a case sensitive string of 1 to 31 characters If you do not specify this option the command applies to packets of the public network application application name Specifies an application by its name a case insensitive string of 1 to 63 characters ...

Page 824: ...p sourceip1 to pass through during time range time1 Sysname system view Sysname object policy ipv6 permit Sysname object policy ipv6 permit rule pass source ip sourceip1 logging time range time1 Configure a rule to apply DPI application profile profile1 to packets that match source IPv4 address object group sourceip1 Sysname system view Sysname object policy ipv6 dpiproc Sysname object policy ipv6...

Page 825: ...ule does not have a description this command configures the description Otherwise this command overwrites the existing description for the rule Examples Create rule 0 for IPv4 object policy permit and configure a description for rule 0 Sysname system view Sysname object policy ip permit Sysname object policy ip permit rule 0 pass source ip ip1 Sysname object policy ip permit rule 0 comment This ru...

Page 826: ...ed user roles network admin Parameters client verify Adds the victim IP addresses to the protected IP list for TCP client verification If TCP client verification is enabled the device provides proxy services for protected servers drop Drops subsequent ACK packets destined for the victim IP addresses logging Enables logging for ACK flood attack events Usage guidelines For the ACK flood attack detec...

Page 827: ...characters Do not specify this option if the protected IP address is on the public network threshold threshold value Specifies the threshold for triggering ACK flood attack prevention The value range is 1 to 1000000 in units of ACK packets sent to the specified IP address per second action Specifies the actions when an ACK flood attack is detected If no action is specified the global actions set b...

Page 828: ...policy view Predefined user roles network admin Usage guidelines The global ACK flood attack detection applies to all IP addresses except those specified by the ack flood detect command The global detection uses the global trigger threshold set by the ack flood threshold command and global actions specified by the ack flood action command Examples Enable global ACK flood attack detection in the at...

Page 829: ...ttack detection configured the device is in attack detection state When the sending rate of ACK packets to an IP address reaches the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state Examples Set the global threshold to 100 for triggering ACK flood...

Page 830: ...cy Use attack defense local apply policy to apply an attack defense policy to the device Use undo attack defense local apply policy to restore the default Syntax attack defense local apply policy policy name undo attack defense local apply policy Default No attack defense policy is applied to the device Views System view Predefined user roles network admin Parameters policy name Specifies an attac...

Page 831: ...cation delay to restore the default Syntax attack defense login reauthentication delay seconds undo attack defense login reauthentication delay Default The login delay feature is disabled The device does not delay accepting a login request from a user who has failed a login attempt Views System view Predefined user roles network admin Parameters seconds Specifies the delay period in seconds in the...

Page 832: ... Related commands attack defense apply policy display attack defense policy attack defense signature log non aggregate Use attack defense signature log non aggregate to enable log non aggregation for single packet attack events Use undo attack defense signature log non aggregate to restore the default Syntax attack defense signature log non aggregate undo attack defense signature log non aggregate...

Page 833: ...enable undo blacklist enable Default The blacklist feature is disabled on an interface Views Interface view Predefined user roles network admin Usage guidelines If the global blacklist feature is enabled the blacklist feature is enabled on all interfaces If the global blacklist feature is disabled you can use this command to enable the blacklist feature on individual interfaces Examples Enable the...

Page 834: ...pn instance name ds lite peer ds lite peer address timeout minutes undo blacklist ip source ip address vpn instance vpn instance name ds lite peer ds lite peer address Default No IPv4 blacklist entries exist Views System view Predefined user roles network admin Parameters source ip address Specifies an IPv4 address for the blacklist entry Packets sourced from this address will be dropped vpn insta...

Page 835: ...rce ipv6 address vpn instance vpn instance name timeout minutes undo blacklist ipv6 source ipv6 address vpn instance vpn instance name Default No IPv6 blacklist entries exist Views System view Predefined user roles network admin Parameters source ipv6 address Specifies an IPv6 address for the blacklist entry Packets sourced from this address will be dropped vpn instance vpn instance name Specifies...

Page 836: ...efined user roles network admin Usage guidelines With logging enabled for the blacklist feature the system outputs logs in the following situations A blacklist entry is manually added A blacklist entry is dynamically added by the scanning attack detection feature A blacklist entry is manually deleted A blacklist entry ages out A blacklist log records the following information Source IP address of ...

Page 837: ...bject group name undo blacklist object group Default No address object group is added to the blacklist Views System view Predefined user roles network admin Parameters object group name Specifies an address object group by its name a case insensitive string of 1 to 31 characters Usage guidelines This command must be used together with the address object group feature For more information about add...

Page 838: ...stem Sysname blacklist user usera timeout 20 Related commands blacklist global enable display blacklist user client verify dns enable Use client verify dns enable to enable DNS client verification on an interface Use undo client verify dns enable to disable DNS client verification on an interface Syntax client verify dns enable undo client verify dns enable Default DNS client verification is disab...

Page 839: ...s Interface view Predefined user roles network admin Usage guidelines Enable HTTP client verification on the interface connected to the external network This feature protects internal servers against HTTP flood attacks For the HTTP client verification to collaborate with HTTP flood attack prevention specify client verify as the HTTP flood attack prevention action During collaboration the device ad...

Page 840: ... requests destined for this address are verified by the client verification feature vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters Do not specify this option if the IPv4 address is on the public network port port number Specifies the port to be protected in ...

Page 841: ...ll connection requests destined for this address are verified by the client verification feature vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters Do not specify this option if the IPv6 address is on the public network port port number Specifies the port to be ...

Page 842: ...TCP client verification to collaborate with TCP flood attack prevention specify client verify as the TCP flood attack prevention action During collaboration the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a TCP flood attack You can use the display client verify tcp protected ip command to display the protected IP list for TCP client v...

Page 843: ...address vpn vpn instance name interface interface type interface number local chassis chassis number slot slot number count Views Any view Predefined user roles network admin network operator Parameters ack flood Specifies ACK flood attack dns flood Specifies DNS flood attack fin flood Specifies FIN flood attack flood Specifies all IPv4 flood attacks http flood Specifies HTTP flood attack icmp flo...

Page 844: ...al parameters are not specified this command display IPv4 flood attack detection and prevention statistics on all interfaces and the device Examples Centralized devices in standalone mode Display all IPv4 flood attack detection and prevention statistics Sysname display attack defense flood statistics ip IP address VPN Detected on Detect type State PPS Dropped 192 168 100 221 a0123456789 GE1 0 2 SY...

Page 845: ...addresses that are protected against flood attacks Sysname display attack defense flood statistics ip count Slot 1 Totally 2 flood entries Slot 2 Totally 1 flood entries Distributed devices in IRF mode Display the number of IPv4 addresses that are protected against flood attacks Sysname display attack defense flood statistics ip count Slot 1 in chassis 1 Totally 2 flood entries Slot 2 in chassis 2...

Page 846: ...vpn instance name interface interface type interface number local chassis chassis number slot slot number count Views Any view Predefined user roles network admin network operator Parameters ack flood Specifies ACK flood attack dns flood Specifies DNS flood attack fin flood Specifies FIN flood attack flood Specifies all IPv6 flood attacks http flood Specifies HTTP flood attack icmpv6 flood Specifi...

Page 847: ...ddresses are not recorded If the interface and local parameters are not specified this command display IPv6 flood attack detection and prevention statistics on all interfaces and the device Examples Centralized devices in standalone mode Display all IPv6 flood attack detection and prevention statistics Sysname display attack defense flood statistics ipv6 IPv6 address VPN Detected on Detect type St...

Page 848: ... flood attacks Sysname display attack defense flood statistics ipv6 count Slot 1 Totally 5 flood entries Slot 2 Totally 3 flood entries Distributed devices in IRF mode Display the number of IPv6 addresses that are protected against flood attacks Sysname display attack defense flood statistics ipv6 count Slot 1 in chassis 1 Totally 5 flood entries Slot 2 in chassis 2 Totally 3 flood entries Table 1...

Page 849: ...s command output includes the following configuration information about an attack defense policy Whether attack detection is enabled Attack prevention actions Attack prevention trigger thresholds Examples Display the configuration of the attack defense policy abc Sysname display attack defense policy abc Attack defense Policy Information Policy name abc Applied list GE1 0 1 Vlan1 Exempt IPv4 ACL N...

Page 850: ...ly Disabled Info L ICMP source quench Disabled Info L ICMP destination unreachable Enabled Info L ICMP redirect Enabled Info L ICMP time exceeded Enabled Info L ICMP parameter problem Disabled Info L ICMP timestamp request Disabled Info L ICMP timestamp reply Disabled Info L ICMP information request Disabled Info L ICMP information reply Disabled Medium L D ICMP address mask request Disabled Mediu...

Page 851: ...13 Table 124 Command output Field Description Policy name Name of the attack defense policy Applied list List of interfaces to which the attack defense policy is applied If the policy is applied to the device this field displays Local Exempt IPv4 ACL IPv4 ACL used for attack detection exemption Exempt IPv6 ACL IPv6 ACL used for attack detection exemption Actions Attack prevention actions CV Client...

Page 852: ... prevention actions against the flood attack D Dropping packets L Logging CV Client verification Not configured Service ports Ports that are protected against the flood attack This field displays port numbers only for the DNS and HTTP flood attacks For other flood attacks this field displays a hyphen Non specific Whether the global flood attack detection is enabled Flood attack defense for protect...

Page 853: ...defense policy ip Use display attack defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention Syntax Centralized devices in standalone mode display attack defense policy policy name ack flood dns flood fin flood flood http flood icmp flood rst flood syn ack flood syn flood udp flood ip ip address vpn vpn instance name count Distributed device...

Page 854: ... in standalone mode slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays information about IPv4 addresses protected by flood attack detection and prevention for all IRF member devices Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument rep...

Page 855: ... 5 DNS FLOOD 23 0 Centralized devices in standalone mode Display the number of IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc Sysname display attack defense policy abc flood ip count Totally 3 flood protected IP addresses Distributed devices in standalone mode centralized devices in IRF mode Display the number of IPv4 addresses protected by flood...

Page 856: ...ount Distributed devices in standalone mode centralized devices in IRF mode display attack defense policy policy name ack flood dns flood fin flood flood http flood icmpv6 flood rst flood syn ack flood syn flood udp flood ipv6 ipv6 address vpn vpn instance name slot slot number count Distributed devices in IRF mode display attack defense policy policy name ack flood dns flood fin flood flood http ...

Page 857: ...6 addresses protected by flood attack detection and prevention for all cards Distributed devices in IRF mode count Displays the number of matching IPv6 addresses protected by flood attack detection and prevention Examples Centralized devices in standalone mode Display information about all IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc Sysname di...

Page 858: ...ses protected by flood attack detection and prevention in the attack defense policy abc Sysname display attack defense policy abc flood ipv6 count Slot 1 in chassis 1 Totally 3 flood protected IP addresses Slot 2 in chassis 2 Totally 3 flood protected IP addresses Table 127 Command output Field Description Totally 3 flood protected IP addresses Total number of the IPv6 addresses protected by flood...

Page 859: ...o not specify a member device this command displays information about IPv4 scanning attackers for all member devices Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card This option is available onl...

Page 860: ...anning attackers Sysname display attack defense scan attacker ip count Slot 1 Totally 3 attackers Slot 2 Totally 2 attackers Distributed devices in IRF mode Display the number of IPv4 scanning attackers Sysname display attack defense scan attacker ip count Slot 1 in chassis 1 Totally 3 attackers Slot 2 in chassis 2 Totally 2 attackers Table 128 Command output Field Description Totally 3 attackers ...

Page 861: ...plays information about IPv6 scanning attackers for all cards Distributed devices in standalone mode slot slot number Specifies an IRF member device by its member ID This option is available only when you specify the device or a global interface such as a VLAN interface or tunnel interface If you do not specify a member device this command displays information about IPv6 scanning attackers for all...

Page 862: ...n 2013 2 TCP GE1 1 0 4 1234 1230 22 UDP GE1 1 0 4 10 Slot 2 in chassis 2 IPv6 address VPN instance Protocol Detected on Duration min 2004 4 TCP GE2 2 0 2 1122 1042 2 UDP GE2 2 0 4 24 Centralized devices in standalone mode Display the number of IPv6 scanning attackers Sysname display attack defense scan attacker ipv6 count Totally 3 attackers Distributed devices in standalone mode centralized devic...

Page 863: ...hassis chassis number slot slot number count Views Any view Predefined user roles network admin network operator Parameters interface interface type interface number Specifies an interface by its type and number local Specifies the device slot slot number Specifies a card by its slot number This option is available only when you specify the device or a global interface such as a VLAN interface or ...

Page 864: ...192 168 31 2 TCP GE1 0 4 21 2 2 2 3 UDP GE1 0 4 1234 Slot 2 IP address VPN instance Protocol Detected on Duration min Distributed devices in IRF mode Display information about all IPv4 scanning attack victims Sysname display attack defense scan victim ip Slot 1 in chassis 1 IP address VPN instance Protocol Detected on Duration min 192 168 31 2 TCP GE1 1 0 4 21 2 2 2 3 UDP GE1 1 0 4 1234 Slot 2 in ...

Page 865: ...es in standalone mode centralized devices in IRF mode display attack defense scan victim ipv6 interface interface type interface number local slot slot number count Distributed devices in IRF mode display attack defense scan victim ipv6 interface interface type interface number local chassis chassis number slot slot number count Views Any view Predefined user roles network admin network operator P...

Page 866: ... 2013 2 TCP GE1 0 4 210 1230 22 UDP GE1 0 4 13 Distributed devices in standalone mode centralized devices in IRF mode Display information about all IPv6 scanning attack victims Sysname display attack defense scan victim ipv6 Slot 1 IPv6 address VPN instance Protocol Detected on Duration min 2013 2 TCP GE1 0 4 210 1230 22 UDP GE1 0 4 13 Slot 2 IPv6 address VPN instance Protocol Detected on Duration...

Page 867: ...tics interface to display attack detection and prevention statistics on an interface Syntax Centralized devices in standalone mode display attack defense statistics interface interface type interface number Distributed devices in standalone mode centralized devices in IRF mode display attack defense statistics interface interface type interface number slot slot number Distributed devices in IRF mo...

Page 868: ...ibuted devices in IRF mode Examples Centralized devices in standalone mode Display attack detection and prevention statistics on interface GigabitEthernet 1 0 1 Sysname display attack defense statistics interface gigabitethernet 1 0 1 Attack policy name abc Scan attack defense statistics AttackType AttackTimes Dropped Port scan 2 23 IP sweep 3 33 Distribute port scan 1 10 Flood attack defense stat...

Page 869: ...MPv6 echo reply 1 1 ICMPv6 group membership query 1 0 ICMPv6 group membership report 1 0 ICMPv6 group membership reduction 1 0 ICMPv6 destination unreachable 1 0 ICMPv6 time exceeded 1 0 ICMPv6 parameter problem 1 0 ICMPv6 packet too big 1 0 Distributed devices in standalone mode centralized devices in IRF mode Display attack detection and prevention statistics on interface GigabitEthernet 1 0 1 f...

Page 870: ... 3 0 Fragment 1 0 Impossible 1 1 Teardrop 1 1 Tiny fragment 1 0 IP options abnormal 3 0 Smurf 1 0 Ping of death 1 0 Traceroute 1 0 Large ICMP 1 0 TCP NULL flag 1 0 TCP all flags 1 0 TCP SYN FIN flags 1 0 TCP FIN only flag 1 0 TCP invalid flag 1 0 TCP Land 1 0 Winnuke 1 0 UDP Bomb 1 0 Snork 1 0 Fraggle 1 0 Large ICMPv6 1 0 ICMP echo request 1 0 ICMP echo reply 1 0 ICMP source quench 1 0 ICMP destin...

Page 871: ...0 1 chassis 1 slot 1 Attack policy name abc Slot 1 in chassis 1 Scan attack defense statistics AttackType AttackTimes Dropped Port scan 2 23 IP sweep 3 33 Distribute port scan 1 10 Flood attack defense statistics AttackType AttackTimes Dropped SYN flood 1 0 ACK flood 1 0 SYN ACK flood 3 5000 RST flood 2 0 FIN flood 2 0 UDP flood 1 0 ICMP flood 1 0 ICMPv6 flood 1 0 DNS flood 1 0 HTTP flood 1 0 Sign...

Page 872: ...CMP timestamp reply 6 0 ICMP information request 7 0 ICMP information reply 4 0 ICMP address mask request 2 0 ICMP address mask reply 1 0 ICMPv6 echo request 1 1 ICMPv6 echo reply 1 1 ICMPv6 group membership query 1 0 ICMPv6 group membership report 1 0 ICMPv6 group membership reduction 1 0 ICMPv6 destination unreachable 1 0 ICMPv6 time exceeded 1 0 ICMPv6 parameter problem 1 0 ICMPv6 packet too bi...

Page 873: ...ce by its member ID If you do not specify a member device this command displays attack detection and prevention statistics for all IRF member devices Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the ...

Page 874: ... 3 0 Smurf 1 0 Ping of death 1 0 Traceroute 1 0 Large ICMP 1 0 TCP NULL flag 1 0 TCP all flags 1 0 TCP SYN FIN flags 1 0 TCP FIN only flag 1 0 TCP invalid flag 1 0 TCP Land 1 0 Winnuke 1 0 UDP Bomb 1 0 Snork 1 0 Fraggle 1 0 Large ICMPv6 1 0 ICMP echo request 1 0 ICMP echo reply 1 0 ICMP source quench 1 0 ICMP destination unreachable 1 0 ICMP redirect 2 0 ICMP time exceeded 3 0 ICMP parameter probl...

Page 875: ...d Port scan 2 23 IP sweep 3 33 Distribute port scan 1 10 Flood attack defense statistics AttackType AttackTimes Dropped SYN flood 1 0 ACK flood 1 0 SYN ACK flood 3 5000 RST flood 2 0 FIN flood 2 0 UDP flood 1 0 ICMP flood 1 0 ICMPv6 flood 1 0 DNS flood 1 0 HTTP flood 1 0 Signature attack defense statistics AttackType AttackTimes Dropped IP option record route 1 100 IP option security 2 0 IP option...

Page 876: ...cho request 1 1 ICMPv6 echo reply 1 1 ICMPv6 group membership query 1 0 ICMPv6 group membership report 1 0 ICMPv6 group membership reduction 1 0 ICMPv6 destination unreachable 1 0 ICMPv6 time exceeded 1 0 ICMPv6 parameter problem 1 0 ICMPv6 packet too big 1 0 Distributed devices in IRF mode Display attack detection and prevention statistics for the device Sysname display attack defense statistics ...

Page 877: ...P options abnormal 3 0 Smurf 1 0 Ping of death 1 0 Traceroute 1 0 Large ICMP 1 0 TCP NULL flag 1 0 TCP all flags 1 0 TCP SYN FIN flags 1 0 TCP FIN only flag 1 0 TCP invalid flag 1 0 TCP Land 1 0 Winnuke 1 0 UDP Bomb 1 0 Snork 1 0 Fraggle 1 0 Large ICMPv6 1 0 ICMP echo request 1 0 ICMP echo reply 1 0 ICMP source quench 1 0 ICMP destination unreachable 1 0 ICMP redirect 2 0 ICMP time exceeded 3 0 IC...

Page 878: ...ddress count Distributed devices in standalone mode centralized devices in IRF mode display blacklist ip source ip address vpn instance vpn instance name ds lite peer ds lite peer address slot slot number count Distributed devices in IRF mode display blacklist ip source ip address vpn instance vpn instance name ds lite peer ds lite peer address chassis chassis number slot slot number count Views A...

Page 879: ...01 55 7 45 abc 2013 1 Manual Never 14478 Distributed devices in standalone mode centralized devices in IRF mode Display IPv4 blacklist entries on the card or IRF member device in slot 1 Sysname display blacklist ip slot 1 Slot 1 IP address VPN instance DS Lite tunnel peer Type TTL sec Dropped 192 168 11 5 Dynamic 10 353452 123 123 123 123 a0123456789012 2013 fe07 221a 4011 Dynamic 123 4294967295 2...

Page 880: ... blacklist entry Manual or Dynamic TTL sec Remaining aging time of the IPv4 blacklist entry in seconds If no aging time is set for the entry this field displays Never Dropped Number of dropped packets sourced from the IPv4 address Totally 3 blacklist entries Total number of IPv4 blacklist entries Related commands blacklist ip display blacklist ipv6 Use display blacklist ipv6 to display IPv6 blackl...

Page 881: ...f matching IPv6 blacklist entries Usage guidelines If you do not specify any parameters this command displays all IPv6 blacklist entries Examples Centralized devices in standalone mode Display all IPv6 blacklist entries Sysname display blacklist ipv6 IPv6 address VPN instance Type TTL sec Dropped 1 4 Manual Never 14478 1 5 Dynamic 10 353452 2013 fe07 221a 4011 a0123456789012345 Dynamic 123 4294967...

Page 882: ...the blacklist entry VPN instance MPLS L3VPN instance to which the blacklisted IPv6 address belongs If the blacklisted IPv6 address is on the public network this field displays hyphens Type Type of the IPv6 blacklist entry Manual or Dynamic TTL sec Remaining aging time of the IPv6 blacklist entry in seconds If no aging time is set for the entry this field displays Never Dropped Number of dropped pa...

Page 883: ...seconds If no aging time is set for the entry this field displays Never Dropped Number of dropped packets sourced from the user Totally 3 blacklist entries Total number of user blacklist entries Related commands blacklist global enable blacklist user display client verify protected ip Use display client verify protected ip to display protected IPv4 addresses for client verification Syntax Centrali...

Page 884: ...D If you do not specify a member device this command displays protected IPv4 addresses for all member devices Centralized devices in IRF mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device The slot number argument represents the slot number of the card If you do not specify a card this c...

Page 885: ...unt Slot 1 Totally 3 protected IP addresses Slot 2 Totally 3 protected IP addresses Distributed devices in IRF mode Display the number of protected IPv4 addresses for TCP client verification Sysname display client verify tcp protected ip count Slot 1 in chassis 1 Totally 3 protected IP addresses Slot 2 in chassis 2 Totally 3 protected IP addresses Centralized devices in standalone mode Display the...

Page 886: ... client verification Sysname display client verify dns protected ip count Slot 1 Totally 3 protected IP addresses Slot 2 Totally 3 protected IP addresses Distributed devices in IRF mode Display the number of protected IPv4 addresses for DNS client verification Sysname display client verify dns protected ip count Slot 1 in chassis 1 Totally 3 protected IP addresses Slot 2 in chassis 2 Totally 3 pro...

Page 887: ...otected IP addresses Distributed devices in standalone mode centralized devices in IRF mode Display the number of protected IPv4 addresses for HTTP client verification Sysname display client verify http protected ip count Slot 1 Totally 3 protected IP addresses Slot 2 Totally 3 protected IP addresses Distributed devices in IRF mode Display the number of protected IPv4 addresses for HTTP client ver...

Page 888: ...TP client verification feature tcp Specifies the TCP client verification feature ipv6 address Specifies a protected IPv6 address If you do not specify an IPv6 address this command displays all protected IPv6 addresses vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs The vpn instance name argument is a case sensitive string of 1 to 31 char...

Page 889: ...Pv6 address VPN instance Port Type Requested Trusted 1 2 3 4 5 6 7 8 100 Manual 4568 8798 1023 1123 vpn1 65535 Dynamic 15969 4679 Distributed devices in IRF mode Display the protected IPv6 addresses for TCP client verification Sysname display client verify tcp protected ipv6 Slot 1 in chassis 1 IPv6 address VPN instance Port Type Requested Trusted 1 2 3 4 5 6 7 8 100 Manual 14478 5501 1023 1123 vp...

Page 890: ...S client verification Sysname display client verify dns protected ipv6 Slot 1 in chassis 1 IPv6 address VPN instance Port Type Requested Trusted 1 2 3 4 5 6 7 8 53 Manual 14478 5501 1023 1123 vpn1 53 Dynamic 4294967295 15151 Slot 2 in chassis 2 IPv6 address VPN instance Port Type Requested Trusted 1 2 3 4 5 6 7 8 53 Manual 4568 8798 1023 1123 vpn1 53 Dynamic 15969 4679 Centralized devices in stand...

Page 891: ...http protected ipv6 Slot 1 in chassis 1 IPv6 address VPN instance Port Type Requested Trusted 1 2 3 4 5 6 7 8 8080 Manual 14478 5501 1023 1123 vpn1 80 Dynamic 4294967295 15151 Slot 2 in chassis 2 IPv6 address VPN instance Port Type Requested Trusted 1 2 3 4 5 6 7 8 8080 Manual 4568 8798 1023 1123 vpn1 80 Dynamic 15969 4679 Centralized devices in standalone mode Display the number of protected IPv6...

Page 892: ... display client verify dns http tcp trusted ip ip address vpn vpn instance name count Distributed devices in standalone mode centralized devices in IRF mode display client verify dns http tcp trusted ip ip address vpn vpn instance name slot slot number count Distributed devices in IRF mode display client verify dns http tcp trusted ip ip address vpn vpn instance name chassis chassis number slot sl...

Page 893: ...234 1234 1234 3550 Distributed devices in standalone mode centralized devices in IRF mode Display the trusted IPv4 addresses for DNS client verification Sysname display client verify dns trusted ip Slot 1 IP address VPN instance DS Lite tunnel peer TTL sec 11 1 1 2 vpn1 3600 123 123 123 123 a012345678901234567 1234 1234 1234 1234 3550 Slot 2 IP address VPN instance DS Lite tunnel peer TTL sec 11 1...

Page 894: ...P address VPN instance DS Lite tunnel peer TTL sec 11 1 1 3 vpn1 1200 Distributed devices in IRF mode Display the trusted IPv4 addresses for HTTP client verification Sysname display client verify http trusted ip Slot 1 in chassis 1 IP address VPN instance DS Lite tunnel peer TTL sec 11 1 1 2 vpn1 3600 123 123 123 123 a012345678901234567 1234 1234 1234 1234 3550 Slot 2 in chassis 2 IP address VPN i...

Page 895: ...TCP client verification Sysname display client verify tcp trusted ip Slot 1 in chassis 1 IP address VPN instance DS Lite tunnel peer TTL sec 11 1 1 2 vpn1 3600 123 123 123 123 a012345678901234567 1234 1234 1234 1234 3550 Slot 2 in chassis 2 IP address VPN instance DS Lite tunnel peer TTL sec 11 1 1 3 vpn1 1200 Centralized devices in standalone mode Display the number of trusted IPv4 addresses for ...

Page 896: ...client verify dns http tcp trusted ipv6 ipv6 address vpn vpn instance name count Distributed devices in standalone mode centralized devices in IRF mode display client verify dns http tcp trusted ipv6 ipv6 address vpn vpn instance name slot slot number count Distributed devices in IRF mode display client verify dns http tcp trusted ipv6 ipv6 address vpn vpn instance name chassis chassis number slot...

Page 897: ... instance TTL sec 1 3 vpn1 1643 1234 1234 a012345678901234 1234 Distributed devices in standalone mode centralized devices in IRF mode Display the trusted IPv6 addresses for DNS client verification Sysname display client verify dns trusted ipv6 Slot 1 IPv6 address VPN instance TTL sec 1 3 vpn1 1643 1234 1234 a012345678901234 1234 Slot 2 IPv6 address VPN instance TTL sec 1 3 vpn1 1643 Distributed d...

Page 898: ... vpn1 1643 Distributed devices in IRF mode Display the trusted IPv6 addresses for HTTP client verification Sysname display client verify http trusted ipv6 Slot 1 in chassis 1 IPv6 address VPN instance TTL sec 1 3 vpn1 1643 1234 1234 a012345678901234 1234 Slot 2 in chassis 2 IPv6 address VPN instance TTL sec 1 3 vpn1 1643 Centralized devices in standalone mode Display the number of trusted IPv6 add...

Page 899: ...erify tcp trusted ipv6 Slot 1 in chassis 1 IPv6 address VPN instance TTL sec 1 3 vpn1 1643 1234 1234 a012345678901234 1234 Slot 2 in chassis 2 IPv6 address VPN instance TTL sec 1 3 vpn1 1643 Centralized devices in standalone mode Display the number of trusted IPv6 addresses for TCP client verification Sysname display client verify tcp trusted ipv6 count Totally 3 trusted IPv6 addresses Distributed...

Page 900: ...Predefined user roles network admin Parameters client verify Adds the victim IP addresses to the protected IP list for DNS client verification If DNS client verification is enabled the device provides proxy services for protected servers drop Drops subsequent DNS packets destined for the victim IP addresses logging Enables logging for DNS flood attack events Usage guidelines For the DNS flood atta...

Page 901: ...a protected IPv4 address or up to 22 port number items for a protected IPv6 address Each item specifies a port by its port number or a range of ports in the form of start port number to end port number The end port number cannot be smaller than the start port number If you do not specify this option the global ports apply threshold threshold value Specifies the threshold for triggering DNS flood a...

Page 902: ...cific Default Global DNS flood attack detection is disabled Views Attack defense policy view Predefined user roles network admin Usage guidelines The global DNS flood attack detection applies to all IP addresses except for those specified by the dns flood detect command The global detection uses the global trigger threshold set by the dns flood threshold command and global actions specified by the...

Page 903: ...to global DNS flood attack detection and IP address specific DNS flood attack detection with no port specified Examples Specify the ports 53 and 61000 as the global ports to be protected against DNS flood attacks in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 dns flood port 53 61000 Related command...

Page 904: ... the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state Examples Set the global threshold to 100 for triggering DNS flood attack prevention in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 dns flood threshold ...

Page 905: ...rd for matching non first fragments If the specified ACL does not exist or does not contain a rule attack detection exemption does not take effect Examples Configure an ACL to permit packets sourced from 1 1 1 1 Configure attack detection exemption for packets matching the ACL in the attack defense policy atk policy 1 Sysname system view Sysname acl basic 2001 Sysname acl ipv4 basic 2001 rule perm...

Page 906: ...t fin flood detect non specific fin flood threshold fin flood detect Use fin flood detect to configure IP address specific FIN flood attack detection Use undo fin flood detect to remove the IP address specific FIN flood attack detection configuration Syntax fin flood detect ip ipv4 address ipv6 ipv6 address vpn instance vpn instance name threshold threshold value action client verify drop logging ...

Page 907: ...When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state Examples Configure FIN flood attack detection for 192 168 1 2 in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 fin flood detect ip 192 168 1 2 threshold 2000 Related commands f...

Page 908: ...guidelines The global threshold applies to global FIN flood attack detection Adjust the threshold according to the application scenarios If the number of FIN packets sent to a protected server such as an HTTP or FTP server is normally large set a large threshold A small threshold might affect the server services For a network that is unstable or susceptible to attacks set a small threshold With gl...

Page 909: ...ging Enables logging for HTTP flood attack events Usage guidelines For the HTTP flood attack detection to collaborate with the HTTP client verification make sure the client verify keyword is specified and the HTTP client verification is enabled To enable HTTP client verification use the client verify http enable command Examples Specify drop as the global action against HTTP flood attacks in the a...

Page 910: ... specify this option the global ports apply threshold threshold value Specifies the threshold for triggering HTTP flood attack prevention The value range is 1 to 1000000 in units of HTTP packets sent to the specified IP address per second action Specifies the actions when an HTTP flood attack is detected If no action is specified the global actions set by the http flood action command apply client...

Page 911: ...cified by the http flood detect command The global detection uses the global trigger threshold set by the http flood threshold command and global actions specified by the http flood action command Examples Enable global HTTP flood attack detection in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 dns ...

Page 912: ...attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 http flood port 80 8080 Related commands http flood action http flood detect http flood detect non specific http flood threshold Use http flood threshold to set the global threshold for triggering HTTP flood attack prevention Use undo http flood threshold to restore the default Syntax http flood threshold threshold value...

Page 913: ...nse policy atk policy 1 http flood threshold 100 Related commands http flood action http flood detect http flood detect non specific icmp flood action Use icmp flood action to specify global actions against ICMP flood attacks Use undo icmp flood action to restore the default Syntax icmp flood action drop logging undo icmp flood action Default No global action is specified for ICMP flood attacks Vi...

Page 914: ...shold for triggering ICMP flood attack prevention The value range is 1 to 1000000 in units of ICMP packets sent to the specified IP address per second action Specifies the actions when an ICMP flood attack is detected If no action is specified the global actions set by the icmp flood action command apply drop Drops subsequent ICMP packets destined for the protected IP address logging Enables loggi...

Page 915: ...d set by the icmp flood threshold command and global actions specified by the icmp flood action command Examples Enable global ICMP flood attack detection in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 icmp flood detect non specific Related commands icmp flood action icmp flood detect ip icmp flood...

Page 916: ...fourths of the threshold the device returns to the attack detection state Examples Set the global threshold to 100 for triggering ICMP flood attack prevention in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 icmp flood threshold 100 Related commands icmp flood action icmp flood detect ip icmp flood d...

Page 917: ...stance name argument is a case sensitive string of 1 to 31 characters Do not specify this option if the protected IPv6 address is on the public network threshold threshold value Specifies the threshold for triggering ICMPv6 flood attack prevention The value range is 1 to 1000000 in units of ICMPv6 packets sent to the specified IP address per second action Specifies the actions when an ICMPv6 flood...

Page 918: ...idelines The global ICMPv6 flood attack detection applies to all IPv6 addresses except for those specified by the icmpv6 flood detect ipv6 command The global detection uses the global trigger threshold set by the icmpv6 flood threshold command and global actions specified by the icmpv6 flood action command Examples Enable global ICMPv6 flood attack detection in the attack defense policy atk policy...

Page 919: ...hes the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold three fourths of the threshold the device returns to the attack detection state Examples Set the global threshold to 100 for triggering ICMPv6 flood attack prevention in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy ...

Page 920: ...ttack defense statistics interface Use reset attack defense statistics interface to clear attack detection and prevention statistics for an interface Syntax reset attack defense statistics interface interface type interface number Views User view Predefined user roles network admin Parameters interface type interface number Specifies an interface by its type and number Examples Clear attack detect...

Page 921: ...ing of 1 to 31 characters Do not specify this option if the IPv4 address is on the public network ds lite peer ds lite peer address Specifies the IPv6 address of the B4 element of the DS Lite tunnel that transmits packets from the blacklisted IPv4 address Do not specify this option if the IPv4 address is on the public network all Specifies all dynamic IPv4 blacklist entries Usage guidelines This c...

Page 922: ...Pv6 blacklist entries Sysname reset blacklist ipv6 all Related commands display blacklist ipv6 reset blacklist statistics Use rest blacklist statistics to clear blacklist statistics Syntax reset blacklist statistics Views User view Predefined user roles network admin Usage guidelines This command resets the counter for dropped packets for all blacklist entries Examples Clear blacklist statistics S...

Page 923: ... for client verification Syntax reset client verify dns http tcp trusted ip ipv6 Views User view Predefined user roles network admin Parameters dns Specifies the DNS client verification feature http Specifies the HTTP client verification feature tcp Specifies the TCP client verification feature ip Specifies the trusted IPv4 list ipv6 Specifies the trusted IPv6 list Examples Clear the trusted IPv4 ...

Page 924: ...t verify tcp enable command Examples Specify drop as the global action against RST flood attacks in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 rst flood action drop Related commands client verify tcp enable rst flood detect rst flood detect non specific rst flood threshold rst flood detect Use rst...

Page 925: ...r protected servers drop Drops subsequent RST packets destined for the protected IP address logging Enables logging for RST flood attack events none Takes no action Usage guidelines With RST flood attack detection configured for an IP address the device is in attack detection state When the sending rate of RST packets to the IP address reaches the threshold the device enters prevention state and t...

Page 926: ...e undo rst flood threshold Default The global threshold is 1000 for triggering RST flood attack prevention Views Attack defense policy view Predefined user roles network admin Parameters threshold value Specifies the threshold value The value range is 1 to 1000000 in units of RST packets sent to an IP address per second Usage guidelines The global threshold applies to global RST flood attack detec...

Page 927: ... many scanning attacks cannot be detected Statistics are collected every 60 seconds for the low level detection high Specifies the high level This level can detect most of the scanning attacks but has a high false alarm rate Some packets from active hosts might be considered as attack packets Statistics are collected every 600 seconds for the high level detection medium Specifies the medium level ...

Page 928: ... policy 1 Sysname attack defense policy atk policy 1 scan detect level low action logging block source timeout 10 Related commands blacklist enable blacklist global enable signature large icmp large icmpv6 max length Use signature large icmp large icmpv6 max length to set the maximum length of safe ICMP or ICMPv6 packets A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than ...

Page 929: ...uest destination unreachable echo reply echo request information reply information request parameter problem redirect source quench time exceeded timestamp reply timestamp request action drop logging none undo signature detect icmp type icmp type value address mask reply address mask request destination unreachable echo reply echo request information reply information request parameter problem red...

Page 930: ...es the ICMP timestamp reply type timestamp request Specifies the ICMP timestamp request type icmpv6 type Specifies an ICMPv6 packet attack by the packet type You can specify the packet type by a number or a keyword icmpv6 type value Specifies the ICMPv6 packet type in the range of 0 to 255 destination unreachable Specifies the ICMPv6 destination unreachable type echo reply Specifies the ICMPv6 ech...

Page 931: ...pecifies the teardrop attack tiny fragment Specifies the tiny fragment attack traceroute Specifies the traceroute attack udp bomb Specifies the UDP bomb attack winnuke Specifies the WinNuke attack action Specifies the actions against the single packet attack If you do not specify this keyword the default action of the attack level to which the single packet attack belongs is used drop Drops packet...

Page 932: ...For example the traceroute attack is on this level medium Specifies the medium level For example the WinNuke attack is on this level drop Drops packets that match the specified level logging Enable logging for single packet attacks on the specified level none Takes no action Usage guidelines According to their severity single packet attacks are divided into four levels info low medium and high Ena...

Page 933: ...evel Usage guidelines According to their severity single packet attacks are divided into four levels info low medium and high Enabling signature detection for a specific level enables signature detection for all single packet attacks on the level Use the signature level action command to specify the actions against single packet attacks on a specific level If you enable signature detection for a s...

Page 934: ...ed and the TCP client verification is enabled To enable TCP client verification use the client verify tcp enable command Examples Specify drop as the global action against SYN ACK flood attacks in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 syn ack flood action drop Related commands client verify t...

Page 935: ...or TCP client verification If TCP client verification is enabled the device provides proxy services for protected servers drop Drops subsequent SYN ACK packets destined for the protected IP address logging Enables logging for SYN ACK flood attack events none Takes no action Usage guidelines With SYN ACK flood attack detection configured for an IP address the device is in attack detection state Whe...

Page 936: ...olicy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 syn ack flood detect non specific Related commands syn ack flood action syn ack flood detect syn ack flood threshold syn ack flood threshold Use syn ack flood threshold to set the global threshold for triggering SYN ACK flood attack prevention Use undo syn ack flood threshol...

Page 937: ...me attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 syn ack flood threshold 100 Related commands syn ack flood action syn ack flood detect syn ack flood detect non specific syn flood action Use syn flood action to specify global actions against SYN flood attacks Use undo syn flood action to restore the default Syntax syn flood action client verify drop logging undo syn...

Page 938: ...pv4 address Specifies the IPv4 address to be protected The ipv4 address argument cannot be 255 255 255 255 or 0 0 0 0 ipv6 ipv6 address Specifies the IPv6 address to be protected vpn instance vpn instance name Specifies the MPLS L3VPN instance to which the protected IP address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters Do not specify this option if the ...

Page 939: ...cific Use syn flood detect non specific to enable global SYN flood attack detection Use undo syn flood detect non specific to disable global SYN flood attack detection Syntax syn flood detect non specific undo syn flood detect non specific Default Global SYN flood attack detection is disabled Views Attack defense policy view Predefined user roles network admin Usage guidelines The global SYN flood...

Page 940: ...hreshold might affect the server services For a network that is unstable or susceptible to attacks set a small threshold With global SYN flood attack detection configured the device is in attack detection state When the sending rate of SYN packets to an IP address reaches the threshold the device enters prevention state and takes the specified actions When the rate is below the silence threshold t...

Page 941: ...etect to remove the IP address specific UDP flood attack detection configuration Syntax udp flood detect ip ipv4 address ipv6 ipv6 address vpn instance vpn instance name threshold threshold value action drop logging none undo udp flood detect ip ipv4 address ipv6 ipv6 address vpn instance vpn instance name Default IP address specific UDP flood attack detection is not configured Views Attack defens...

Page 942: ... attack detection for 192 168 1 2 in the attack defense policy atk policy 1 Sysname system view Sysname attack defense policy atk policy 1 Sysname attack defense policy atk policy 1 udp flood detect ip 192 168 1 2 threshold 2000 Related commands udp flood action udp flood detect non specific udp flood threshold udp flood detect non specific Use udp flood detect non specific to enable global UDP fl...

Page 943: ...ust the threshold according to the application scenarios If the number of UDP packets sent to a protected server such as an HTTP or FTP server is normally large set a large threshold A small threshold might affect the server services For a network that is unstable or susceptible to attacks set a small threshold With global UDP flood attack detection configured the device is in attack detection sta...

Page 944: ...hitelist feature on individual interfaces Examples Enable the whitelist feature on interface GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 whitelist enable whitelist global enable Use whitelist global enable to enable the global whitelist feature Use undo whitelist global enable to disable the global whitelist feature Syntax whitelis...

Page 945: ...Predefined user roles network admin Parameters object group name Specifies an address object group by its name a case insensitive string of 1 to 31 characters Usage guidelines This command must be used together with the address object group feature For more information about address object groups see Configuring object groups If you execute this command multiple times the most recent configuration...

Page 946: ...00A JH301A Dynamic IPSG is supported only on the following ports Layer 2 Ethernet ports on the following modules HMIM 8GSW HMIM 8GSWF HMIM 24GSW HMIM 24GSWP Fixed Layer 2 Ethernet ports on MSR2004 24 and MSR2004 48 routers display ip source binding Use display ip source binding to display IPv4SG bindings Syntax Centralized devices in standalone mode display ip source binding static vpn instance vp...

Page 947: ...terface by its type and number slot slot number Specifies a card by its slot number If you do not specify a card this command displays IPv4SG bindings for the active MPU Distributed devices in standalone mode slot slot number Specifies an IRF member device by its member ID If you do not specify a member device this command displays IPv4SG bindings for the master device Centralized devices in IRF m...

Page 948: ...vices Related commands ip source binding ip verify source display ipv6 source binding Use display ipv6 source binding to display IPv6SG bindings Syntax Centralized devices in standalone mode display ipv6 source binding static vpn instance vpn instance name dhcpv6 snooping wlan snooping ip address ipv6 address mac address mac address vlan vlan id interface interface type interface number Distribute...

Page 949: ...slot number of the card If you do not specify a card this command displays IPv6SG bindings for the global active MPU Distributed devices in IRF mode Examples Display all IPv6SG bindings on the public network Sysname display ipv6 source binding Total entries found 2 IPv6 Address MAC Address Interface VLAN Type 2012 1222 2012 1222 000f 2202 0435 GE1 0 1 1 DHCPv6 snooping 2012 1222 2012 1222 2012 122...

Page 950: ...an IPv4 address for the static binding The IPv4 address must be a class A B or C address and cannot be 127 x x x or 0 0 0 0 mac address mac address Specifies a MAC address for the static binding The MAC address must be in H H H format and cannot be all 0s all Fs a broadcast MAC address or a multicast MAC address vlan vlan id Specifies a VLAN ID for the static binding The value range is 1 to 4094 U...

Page 951: ...ted from different source modules 802 1X DHCP snooping and WLAN snooping are for different security services For more information see Security Configuration Guide You cannot enable dynamic IPv4SG on a service loopback interface Examples Enable IPv4SG on Layer 2 Ethernet interface GigabitEthernet 1 0 1 and verify the source IPv4 address and MAC address for dynamic IPSG Sysname system view Sysname i...

Page 952: ... that contain MAC addresses are not supported on Layer 2 Ethernet ports on the following modules HMIM 8GSW HMIM 8GSWF HMIM 24GSW HMIM 24GSWP Static IPv6SG bindings that contain IP addresses or VLANs are not supported on the following routers MSR954 JH296A JH297A JH298A JH299A JH373A MSR958 JH300A JH301A Static IPv6SG bindings on an interface filter incoming IPv6 packets on the interface You cannot...

Page 953: ...ature is not supported on the following routers if the ip address or ip address mac address keyword is specified MSR954 JH296A JH297A JH298A JH299A JH373A MSR958 JH300A JH301A The matching criterion in this command applies only to dynamic IPv6SG Static IPv6SG uses static bindings configured by using the ipv6 source binding command Dynamic bindings generated from different source modules DHCPv6 sno...

Page 954: ... enable ARP blackhole routing Use undo arp resolving route enable to disable ARP blackhole routing Syntax arp resolving route enable undo arp resolving route enable Default ARP blackhole routing is enabled Views System view Predefined user roles network admin Usage guidelines Configure this command on the gateways Examples Enable ARP blackhole routing Sysname system view Sysname arp resolving rout...

Page 955: ...count 3 Related commands arp resolving route enable arp resolving route probe interval arp resolving route probe interval Use arp resolving route probe interval to set the interval at which the device probes ARP blackhole routes Use undo arp resolving route probe interval to restore the default Syntax arp resolving route probe interval interval undo arp resolving route probe interval Default The d...

Page 956: ... Configure this feature on the gateways Examples Enable the ARP source suppression feature Sysname system view Sysname arp source suppression enable Related commands display arp source suppression arp source suppression limit Use arp source suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds Use undo arp source suppressio...

Page 957: ...tion about the current ARP source suppression configuration Syntax display arp source suppression Views Any view Predefined user roles network admin network operator Examples Display information about the current ARP source suppression configuration Sysname display arp source suppression ARP source suppression is enabled Current suppression limit 100 Table 143 Command output Field Description Curr...

Page 958: ...dle the attack If you do not specify both the filter and monitor keywords in the undo arp source mac command the command disables this feature Examples Enable the source MAC based ARP attack detection feature and specify the filter handling method Sysname system view Sysname arp source mac filter arp source mac aging time Use arp source mac aging time to set the aging time for ARP attack entries U...

Page 959: ... MAC address in the format of H H H 1 10 indicates that you can configure a maximum of 10 excluded MAC addresses Usage guidelines If you do not specify a MAC address the undo arp source mac exclude mac command removes all excluded MAC addresses Examples Exclude a MAC address from source MAC based ARP attack detection Sysname system view Sysname arp source mac exclude mac 2 2 2 arp source mac thres...

Page 960: ... network operator Parameters interface interface type interface number Specifies an interface by its type and number slot slot number Specifies a card by its slot number If you do not specify a card this command displays ARP attack entries for the active MPU Distributed devices in standalone mode slot slot number Specifies an IRF member device by its ID If you do not specify a member device this c...

Page 961: ...rk admin Usage guidelines Configure this feature on gateways The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body Examples Enable ARP packet source MAC address consistency check Sysname system view Sysname arp valid check enable ARP active acknowledgement commands arp active ack enable Use arp active ac...

Page 962: ...able to enable authorized ARP on an interface Use undo arp authorized enable to disable authorized ARP on an interface Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is disabled on the interface Views Layer 3 Ethernet interface subinterface view Layer 3 aggregate interface subinterface view VLAN interface view Predefined user roles network admin Examples Enable auth...

Page 963: ...tection enable undo arp detection enable Default ARP attack detection is disabled Views VLAN view Predefined user roles network admin Examples Enable ARP attack detection for VLAN 2 Sysname system view Sysname vlan 2 Sysname vlan2 arp detection enable Related commands arp detection rule arp detection rule Use arp detection rule to configure a user validity check rule Use undo arp detection rule to...

Page 964: ...ddress mask in the H H H format If you do not specify the mask the argument specifies the host MAC address any Matches any MAC address vlan vlan id Specifies the ID of a VLAN to which the specified rule applies The value range for the vlan id argument is 1 to 4094 If you do not specify a VLAN the rule applies to all VLANs Usage guidelines A user validity check rule takes effect only when ARP attac...

Page 965: ...redefined user roles network admin Parameters dst mac Checks the target MAC address of ARP responses If the target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and discarded ip Checks the sender and target IP addresses of ARP replies and the sender IP address of ARP requests All one or multicast IP addresse...

Page 966: ...rding enable Default ARP restricted forwarding is disabled Views VLAN view Predefined user roles network admin Examples Enable ARP restricted forwarding in VLAN 2 Sysname system view Sysname vlan 2 Sysname vlan2 arp restricted forwarding enable display arp detection Use display arp detection to display the VLANs enabled with ARP attack detection Syntax display arp detection Views Any view Predefin...

Page 967: ...ysname display arp detection statistics State U Untrusted T Trusted ARP packets dropped by ARP inspect checking Interface State IP Src MAC Dst MAC Inspect GE1 0 1 U 40 0 0 78 GE1 0 2 U 0 0 0 0 GE1 0 3 T 0 0 0 0 GE1 0 4 U 0 0 30 0 Table 144 Command output Field Description State State of an interface U ARP untrusted interface T ARP trusted interface Interface State Inbound interface of ARP packets ...

Page 968: ...is a one time operation You can use this command again to convert the dynamic ARP entries learned later to static The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries Due to the device s limit on the total number of static ARP entries some dynamic ARP entries might fail the conversion The static ARP entries after conversio...

Page 969: ... in the ARP request is the address on the smallest network segment If no address range is specified the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides The sender IP address in the ARP requests is the primary IP address of the interface The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addre...

Page 970: ...uidelines You can enable ARP gateway protection for a maximum of eight gateways on an interface You cannot configure both the arp filter source and arp filter binding commands on the same interface Examples Enable ARP gateway protection for the gateway with IP address 1 1 1 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 arp filter source 1 1 1 1 ARP filt...

Page 971: ...ddresses of an ARP packet match an ARP permitted entry the ARP packet is permitted If not it is discarded You can configure a maximum of eight ARP permitted entries on an interface You cannot configure both the arp filter source and arp filter binding commands on the same interface Examples Enable ARP filtering and configure an ARP permitted entry Sysname system view Sysname interface gigabitether...

Page 972: ...rk admin network operator Parameters interface interface type interface number Specifies an interface by its type and number slot slot number Specifies a card by its slot number If you do not specify a card this command displays uRPF configuration for all cards Distributed devices in standalone mode slot slot number Specifies an IRF member device by its member ID If you do not specify a member dev...

Page 973: ...drop ACL 2000 Table 145 Command output Field Description failed The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources This field is not displayed if the delivery is successful Check type uRPF check mode loose or strict Allow default route Using the default route is allowed Link check Link layer check is enabled Suppress drop ACL ACL used ...

Page 974: ...trical routing on a PE device Typically you do not need to configure the allow default route keyword on a PE device because it has no default route pointing to a CE If you enable uRPF on a CE that has a default route pointing to the PE specify the allow default route keyword You can use an ACL to match specific packets so they are forwarded even if they fail to pass uRPF check If a Layer 3 PE inte...

Page 975: ...network admin network operator Parameters interface interface type interface number Specifies an interface by its type and number slot slot number Specifies a card by its slot number If you do not specify a card this command displays IPv6 uRPF configuration for all cards Distributed devices in standalone mode slot slot number Specifies an IRF member device by its member ID If you do not specify a ...

Page 976: ...ow default route Using the default route is allowed Suppress drop ACL IPv6 ACL used for drop suppression ipv6 urpf Use ipv6 urpf to enable IPv6 uRPF Use undo ipv6 urpf to disable IPv6 uRPF Syntax ipv6 urpf loose strict allow default route acl acl number undo ipv6 urpf Default IPv6 uRPF is disabled Views Interface view Predefined user roles network admin Parameters loose Enables loose IPv6 uRPF che...

Page 977: ...has no default route pointing to a CE If you enable uRPF on a CE that has a default route pointing to the PE specify the allow default route keyword You can use an ACL to match specific packets so they are forwarded even if they fail to pass IPv6 uRPF check Examples Configure strict IPv6 uRPF check on interface GigabitEthernet 1 0 2 and allow using the default route and IPv6 ACL 2999 to match pack...

Page 978: ...work operator Usage guidelines If the device does not have hardware crypto engines this command displays information only about software crypto engines Examples Display crypto engine information Sysname display crypto engine Crypto engine name cavium crypto driver Crypto engine state Enabled Crypto engine type Hardware Slot ID 0 CPU ID 0 Crypto engine ID 0 Symmetric algorithms des ecb 3des cbc 3de...

Page 979: ...iption Crypto engine state Hardware crypto engine state Enabled Disabled Software crypto engine state Enabled Crypto engine type Crypto engine type Hardware Software Slot ID ID of the LPU that holds the crypto engine CPU ID ID of the CPU on the card This field is not supported in the current software version Symmetric algorithms Supported symmetric algorithms Asymmetric algorithms Supported asymme...

Page 980: ...istributed devices in IRF mode Usage guidelines If hardware crypto engines are not enabled or the device does not have hardware crypto engines this command displays statistics only for software crypto engines If you do not specify any parameters this command displays statistics for all crypto engines Centralized devices in standalone mode If you do not specify any parameters this command displays ...

Page 981: ... 0 Symmetric operations 0 Symmetric errors 0 Asymmetric operations 0 Asymmetric errors 0 Get random operations 0 Get random errors 0 Slot ID 2 CPU ID 0 Crypto engine ID 0 Submitted sessions 0 Failed sessions 0 Symmetric operations 0 Symmetric errors 0 Asymmetric operations 0 Asymmetric errors 0 Get random operations 0 Get random errors 0 Distributed devices in IRF mode Display statistics for all c...

Page 982: ... standalone mode Display statistics for crypto engine 1 on card 2 Sysname display crypto engine statistics engine id 1 slot 2 Submitted sessions 0 Failed sessions 0 Symmetric operations 0 Symmetric errors 0 Asymmetric operations 0 Asymmetric errors 0 Get random operations 0 Get random errors 0 Centralized devices in IRF mode Display statistics for crypto engine 1 on IRF member device 2 Sysname dis...

Page 983: ...failed operations for obtaining random numbers Related commands reset crypto engine statistics reset crypto engine statistics Use reset crypto engine statistics to clear crypto engine statistics Syntax Centralized devices in standalone mode reset crypto engine statistics engine id engine id Distributed devices in standalone mode centralized devices in IRF mode reset crypto engine statistics engine...

Page 984: ...ralized devices in standalone mode If you do not specify any parameters this command clears crypto engine statistics for all cards Distributed devices in standalone mode If you do not specify any parameters this command clears crypto engine statistics for all member devices Centralized devices in IRF mode If you do not specify any parameters this command clears crypto engine statistics for all car...

Page 985: ...le to disable FIPS mode Syntax fips mode enable undo fips mode enable Default FIPS mode is disabled Views System view Predefined user roles network admin Usage guidelines After you enable FIPS mode and reboot the device the device operates in FIPS mode The FIPS device has strict security requirements and performs self tests on cryptography modules to verify that they are operating correctly After ...

Page 986: ...ration file j Delete the original startup configuration file in binary format k Reboot the device After the fips mode enable command is executed the system prompts you to choose a reboot method If you do not make a choice within 30 seconds the system uses the manual reboot method by default After the undo fips mode enable command is executed the system provides the following methods to exit FIPS m...

Page 987: ... method to enter non FIPS mode Sysname undo fips mode enable FIPS mode change requires a device reboot Continue Y N y The system will create a new startup configuration file for non FIPS mode and then reboot automatically Continue Y N n Change the configuration to meet non FIPS mode requirements save the configuration to the next startup configuration file and then reboot to enter non FIPS mode Re...

Page 988: ...est for HMAC SHA1 passed Known answer test for AES passed Known answer test for random number generator passed Known Answer tests in the kernel passed CPU 1 of slot 2 in chassis 1 Starting Known Answer tests in the user space Known answer test for SHA1 passed Known answer test for SHA224 passed Known answer test for SHA256 passed Known answer test for SHA384 passed Known answer test for SHA512 pas...

Page 989: ...wn answer test for SHA1 passed Known answer test for HMAC SHA1 crypto engine passed Known answer test for AES crypto engine passed Known answer test for random number generator crypto engine passed Known answer test for RSA signature verification crypto engine passed Known answer test for RSA encrypt decrypt crypto engine passed Known answer test for DSA signature verification crypto engine passed...

Page 990: ...tarting Known Answer tests in the kernel Known answer test for SHA1 passed Known answer test for HMAC SHA1 passed Known answer test for AES passed Known answer test for SHA1 passed Known Answer tests in the kernel passed FIPS Known Answer Tests passed ...

Page 991: ...ast one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field nam...

Page 992: ... Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gatewa...

Page 993: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 994: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 995: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 996: ...etection rule 945 arp detection trust 946 arp detection validate 947 arp filter binding 952 arp filter source 952 arp fixup 950 arp resolving route enable 936 arp resolving route probe count 936 arp resolving route probe interval 937 arp restricted forwarding enable 948 arp scan 951 arp source mac 939 arp source mac aging time 940 arp source mac exclude mac 941 arp source mac threshold 941 arp sou...

Page 997: ...p 822 client verify protected ipv6 823 client verify tcp enable 824 common name 405 company 53 config exchange 557 connection limit 761 connection limit apply 762 connection limit apply global 762 copy app group 679 country 405 crl check 406 crl url 406 Customer self repair 976 D data flow format HWTACACS scheme view 115 data flow format RADIUS scheme view 86 default logon page 210 delete 615 desc...

Page 998: ...olicy accelerate 793 display object policy ip 794 display object policy ipv6 795 display object policy statistics zone pair security 796 display object policy zone pair security 797 display password control 353 display password control blacklist 354 display pki certificate access control policy 407 display pki certificate attribute group 408 display pki certificate domain 410 display pki certifica...

Page 999: ...witchid 181 dot1x smarton timer supp timeout 182 dot1x timer 183 dot1x unicast trigger 185 dpd 567 dpd 528 E email 61 encapsulation mode 475 encryption 568 encryption algorithm 529 esn enable 476 esp authentication algorithm 477 esp encryption algorithm 478 exchange mode 530 exclude attribute 252 exempt acl 886 exit 617 F fin flood action 887 fin flood detect 888 fin flood detect non specific 889 ...

Page 1000: ...ipsec logging packet enable 487 ipsec profile 492 ipsec redundancy enable 493 ipsec sa global duration 493 ipsec sa idle time 494 ipsec transform set 495 ipv6 258 ipv6 140 ipv6 source binding interface view 933 ipv6 urpf 958 ipv6 verify source 934 ita policy 151 ita policy 44 K key 376 key HWTACACS scheme view 120 key RADIUS scheme view 91 keychain 581 keychain 541 keychain 376 key string 377 L ld...

Page 1001: ...r composition 368 password control super length 369 password control update interval 370 peer 587 peer public key end 385 pfs 496 phone 74 pki abort certificate request 423 pki certificate access control policy 424 pki certificate attribute group 424 pki delete certificate 425 pki domain 427 pki entity 427 pki export 428 pki import 435 pki request certificate 439 pki retrieve certificate 440 pki r...

Page 1002: ...d key 588 prf 589 primary accounting HWTACACS scheme view 122 primary accounting RADIUS scheme view 94 primary authentication HWTACACS scheme view 123 primary authentication RADIUS scheme view 95 primary authorization 125 priority IKE keychain view 547 priority IKE profile view 548 priority IKEv2 policy view 590 priority IKEv2 profile view 591 proposal 549 proposal 591 protocol 497 protocol versio...

Page 1003: ...593 sa duration 505 sa duration 551 sa hex key authentication 506 sa hex key encryption 507 sa idle time 508 sa spi 509 sa string key 510 scan detect 909 scp 623 scp ipv6 625 scp server enable 598 search base dn 146 search scope 146 secondary accounting HWTACACS scheme view 127 secondary accounting RADIUS scheme view 104 secondary authentication HWTACACS scheme view 128 secondary authentication RA...

Page 1004: ...109 state secondary 110 subject dn 453 syn ack flood action 915 syn ack flood detect 916 syn ack flood detect non specific 917 syn ack flood threshold 918 syn flood action 919 syn flood detect 920 syn flood detect non specific 921 syn flood threshold 922 T tcp syn check 671 tcp port 315 tfc enable 514 timer quiet HWTACACS scheme view 131 timer quiet RADIUS scheme view 111 timer realtime accounting...

Page 1005: ...987 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands