HPE FlexNetwork HSR6800 series Security Command Reference Download Page 371

Page: 371 / 538

358

Syntax

In non-FIPS mode:

ssh2

server

[

port-number

] [

vpn-instance

vpn-instance-name

] [

identity-key

{

dsa

rsa

} |

prefer-compress

{

zlib

zlib-openssh

} |

prefer-ctos-cipher

{

3des

aes128

des

} |

prefer-ctos-hmac

{

md5

md5-96

sha1

sha1-96

} |

prefer-kex

{

dh-group-exchange

dh-group1

dh-group14

} |

prefer-stoc-cipher

{

3des

aes128

des

} |

prefer-stoc-hmac

{

md5

md5-96

sha1

sha1-96

} ] *

In FIPS mode:

ssh2

server

[

port-number

] [

vpn-instance

vpn-instance-name

] [

identity-key

rsa

prefer-ctos-cipher

{

aes128

aes256

} |

prefer-ctos-hmac

{

sha1

sha1-96

} |

prefer-kex

dh-group14

prefer-stoc-cipher

{

aes128

aes256

} |

prefer-stoc-hmac

{

sha1

sha1-96

} ] *

Views

User view

Default command level

0: Visit level

Parameters

server

: Specifies an IPv4 server by its address or host name, a case-insensitive string of 1 to 20

characters.

port-number

: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

vpn-instance

vpn-instance-name

: Specifies the MPLS L3VPN to which the server belongs, where

the

vpn-instance-name

argument is a case-sensitive string of 1 to 31 characters. If the server is on

the public network, do not specify this option.

identity-key

: Specifies the algorithm for publickey authentication, either

dsa

rsa

. In non-FIPS

mode, the algorithm is either

dsa

rsa

. In FIPS mode, the algorithm is

rsa

•

dsa

: Specifies the public key algorithm

dsa.

•

rsa

: Specifies the public key algorithm

rsa

prefer-compress

: Specifies the preferred compression algorithm. By default, the compression

algorithm is not used.

•

zlib

: Specifies the compression algorithm ZLIB.

•

zlib-openssh

: Specifies the compression algorithm

prefer-ctos-cipher

: Specifies the preferred client-to-server encryption algorithm. The default is

aes128

•

3des

: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode.

•

aes128

: Specifies the encryption algorithm aes128-cbc.

•

aes256

: Specifies the encryption algorithm aes256-cbc. This keyword is not available in

non-FIPS mode.

•

des

: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode.

prefer-ctos-hmac

: Specifies the preferred client-to-server HMAC algorithm. The default is

sha1-96

•

md5

: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode.

•

md5-96

: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS

mode.

•

sha1

: Specifies the HMAC algorithm hmac-sha1.

•

sha1-96

: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex

: Specifies the preferred key exchange algorithm. In non-FIPS mode, the default is

dh-group-exchange

. In FIPS mode, the default is

dh-group14

Summary of Contents for FlexNetwork HSR6800 series

Page 1: ...HPE FlexNetwork HSR6800 Routers Security Command Reference Part number 5998 4511R Software version HSR6800 CMW520 R3303P25 Document version 6W105 20151231 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ... access 17 authorization login 18 authorization portal 19 authorization ppp 20 authorization attribute user profile 21 cut connection 22 display connection 23 display domain 26 domain 29 domain default enable 29 domain if unknown 30 idle cut enable 31 ip pool 32 nas id bind vlan 33 self service url enable 33 session time include idle time 34 state ISP domain view 35 Local user configuration comman...

Page 4: ...ADIUS scheme view 83 HWTACACS configuration commands 84 data flow format HWTACACS scheme view 84 display hwtacacs 85 display stop accounting buffer for HWTACACS 88 hwtacacs nas ip 89 hwtacacs scheme 90 key HWTACACS scheme view 91 nas ip HWTACACS scheme view 92 primary accounting HWTACACS scheme view 93 primary authentication HWTACACS scheme view 94 primary authorization 95 reset hwtacacs statistic...

Page 5: ...s 139 Portal configuration commands 140 access user detect 140 display portal acl 141 display portal connection statistics 143 display portal free rule 146 display portal interface 147 display portal server 149 display portal server statistics 150 display portal tcp cheat statistics 152 display portal user 154 portal auth network 155 portal auth network destination 156 portal delete user 157 porta...

Page 6: ...g 198 password control alert before expire 199 password control authentication timeout 199 password control complexity 200 password control composition 200 password control enable 202 password control expired user login 202 password control history 203 password control length 203 password control login idle time 204 password control login attempt 205 password control password update interval 206 p...

Page 7: ...cate 246 pki request certificate domain 247 pki retrieval certificate 248 pki retrieval crl domain 248 pki validate certificate 249 root certificate fingerprint 249 rule PKI CERT ACP view 250 state 251 IPsec configuration commands 252 ah authentication algorithm 252 connection name 252 cryptoengine enable 253 display ipsec policy 253 display ipsec policy template 258 display ipsec profile 260 disp...

Page 8: ...orithm 302 authentication method 302 certificate domain 303 dh 303 display ike dpd 304 display ike peer 305 display ike proposal 306 display ike sa 307 dpd 311 encryption algorithm 312 exchange mode 312 id type 313 ike dpd 314 ike local name 315 ike next payload check disabled 316 ike peer system view 316 ike proposal 316 ike sa keepalive timer interval 317 ike sa keepalive timer timeout 318 ike s...

Page 9: ...t ipv6 source 351 sftp client source 352 sftp ipv6 353 ssh client authentication server 355 ssh client first time enable 355 ssh client ipv6 source 356 ssh client source 357 ssh2 357 ssh2 ipv6 359 Firewall configuration commands 362 Packet filter firewall configuration commands 362 display firewall ipv6 statistics 362 display firewall statistics 363 firewall default 364 firewall enable 364 firewal...

Page 10: ...l http java blocking 400 display firewall http url filter host 401 display firewall http url filter parameter 402 firewall http activex blocking acl 404 firewall http activex blocking enable 405 firewall http activex blocking suffix 405 firewall http java blocking acl 406 firewall http java blocking enable 406 firewall http java blocking suffix 407 firewall http url filter host acl 408 firewall ht...

Page 11: ...tatus 448 tcp anti naptha enable 449 tcp state 449 tcp syn cookie enable 450 tcp timer check state 451 IP source guard configuration commands 452 display ip source binding 452 ip source binding 453 ip verify source 454 ip verify source max entries 455 ARP attack protection configuration commands 457 IP flood protection configuration commands 457 arp resolving route enable 457 arp source suppressio...

Page 12: ...play gdoi ks rekey 483 gdoi ks group 485 gdoi ks redundancy port 485 gdoi ks rekey 486 identity address 486 identity number 487 ipsec 488 local priority 488 peer address 489 profile GDOI KS group IPsec policy view 490 redundancy enable 491 redundancy hello 491 redundancy retransmit 492 rekey acl 493 rekey authentication 494 rekey encryption 495 rekey lifetime 495 rekey retransmit 496 rekey transpo...

Page 13: ...icons 515 Conventions 515 Network topology icons 516 Support and other resources 517 Accessing Hewlett Packard Enterprise Support 517 Accessing updates 517 Websites 518 Customer self repair 518 Remote support 518 Documentation feedback 518 Index 520 ...

Page 14: ...ile a case insensitive string of 1 to 16 characters Examples Create a NAS ID profile named aaa Sysname system view Sysname aaa nas id profile aaa Sysname nas id prof aaa Related commands nas id bind vlan access limit enable Use access limit enable to set the maximum number of online users in an ISP domain After the number of online users reaches the allowed maximum number no more users are accepte...

Page 15: ...ng method Use undo accounting command to restore the default Syntax accounting command hwtacacs scheme hwtacacs scheme name undo accounting command Default The default accounting method for the ISP domain is used for command line accounting Views ISP domain view Default command level 2 System level Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name a case inse...

Page 16: ... a case insensitive string of 1 to 32 characters Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured The default accounting method is used for all users who support the specified accounting method and have no specific accounting method configured Local accounting is only used for monitoring and controlling the number of local user connections It does not provide the ...

Page 17: ... test to use local accounting for DVPN users Sysname system view Sysname domain test Sysname isp test accounting dvpn local Configure ISP domain test to use RADIUS accounting scheme rd for DVPN users and use local accounting as the backup Sysname system view Sysname domain test Sysname isp test accounting dvpn radius scheme rd local Related commands local user accounting default radius scheme acco...

Page 18: ...lan access local Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup Sysname system view Sysname domain test Sysname isp test accounting lan access radius scheme rd local Related commands local user accounting default radius scheme accounting login Use accounting login to configure the accounting method for login users through the conso...

Page 19: ...to use RADIUS accounting scheme rd for login users and use local accounting as the backup Sysname system view Sysname domain test Sysname isp test accounting login radius scheme rd local Related commands local user accounting default hwtacacs scheme radius scheme accounting optional Use accounting optional to enable the accounting optional feature Use undo accounting optional to disable the featur...

Page 20: ...nting portal Default The default accounting method for the ISP domain is used for portal users Views ISP domain view Default command level 2 System level Parameters local Performs local accounting none Does not perform any accounting radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines The specified RADIUS scheme mu...

Page 21: ...ng of 1 to 32 characters local Performs local accounting none Does not perform any accounting radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured Examples Configure ISP domain test to use local accounting for PPP users Sysname system view Sysname dom...

Page 22: ...us scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured Examples Configure the default authentication method for I...

Page 23: ...iew Sysname domain test Sysname isp test authentication dvpn local Configure ISP domain test to use RADIUS authentication scheme rd for DVPN users and use local authentication as the backup Sysname system view Sysname domain test Sysname isp test authentication dvpn radius scheme rd local Related commands local user authentication default radius scheme authentication lan access Use authentication ...

Page 24: ...ure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup Sysname system view Sysname domain test Sysname isp test authentication lan access radius scheme rd local Related commands local user authentication default radius scheme authentication login Use authentication login to configure the authentication method for login users through the ...

Page 25: ... ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup Sysname system view Sysname domain test Sysname isp test authentication login radius scheme rd local Related commands local user authentication default hwtacacs scheme radius scheme authentication portal Use authentication portal to configure the authentication method for portal users...

Page 26: ...eme authentication ppp Use authentication ppp to configure the authentication method for PPP users Use undo authentication ppp to restore the default Syntax authentication ppp hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local undo authentication ppp Default The default authentication method for the ISP domain is used for PPP users Views ISP domain view De...

Page 27: ...ault Syntax authentication super hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name undo authentication super Default The default authentication method for the ISP domain is used for user privilege level switching authentication Views ISP domain view Default command level 2 System level Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name a ca...

Page 28: ...cheme by its name a case insensitive string of 1 to 32 characters local Performs local authorization none Does not perform any authorization exchange In this case an authenticated user can access only commands of Level 0 Usage guidelines The specified HWTACACS scheme must have been configured With command line authorization configured a user who has logged in to the device can execute only the com...

Page 29: ...s can access the network FTP users can access the root directory of the device and other login users can access only the commands of Level 0 radius scheme radius scheme name Specifies a RADIUS scheme by its name a case insensitive string of 1 to 32 characters Usage guidelines The specified RADIUS or HWTACACS scheme must have been configured The default authorization method is used for all users wh...

Page 30: ...of 1 to 32 characters Usage guidelines The specified RADIUS scheme must have been configured The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme Examples Configure ISP domain test to use local authorization for DVPN users Sysname system view Sysname domain test Sysname isp test authorization d...

Page 31: ...authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme Examples Configure ISP domain test to use local authorization for LAN users Sysname system view Sysname domain test Sysname isp test authorization lan access local Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use loc...

Page 32: ...heme must have been configured The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme Examples Configure ISP domain test to use local authorization for login users Sysname system view Sysname domain test Sysname isp test authorization login local Configure ISP domain test to use RADIUS authorizat...

Page 33: ... the same RADIUS scheme Examples Configure ISP domain test to use local authorization for portal users Sysname system view Sysname domain test Sysname isp test authorization portal local Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup Sysname system view Sysname domain test Sysname isp test authorization portal radius sc...

Page 34: ...the ISP domain use the same RADIUS scheme Examples Configure ISP domain test to use local authorization for PPP users Sysname system view Sysname domain test Sysname isp test authorization ppp local Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup Sysname system view Sysname domain test Sysname isp test authorization ppp radius...

Page 35: ... profile1 cut connection Use cut connection to tear down the specified user connections Syntax In standalone mode cut connection access type dot1x mac authentication portal all domain isp name interface interface type interface number ip ip address mac mac address ucibindex ucib index user name user name slot slot number In IRF mode cut connection access type dot1x mac authentication portal all do...

Page 36: ... IRF mode Usage guidelines This command applies to LAN portal and PPP user connections For 802 1X users whose usernames carry the version number or contain spaces you cannot cut the connections by username For 802 1X users whose usernames use a forward slash or backward slash as the domain name delimiter you cannot cut their connections by username For example the cut connection user name aaa bbb ...

Page 37: ...he range of 0 to 4294967295 user name user name Specifies the user connections that use the username The user name argument is a case sensitive string of 1 to 80 characters For a username entered without a domain name the system assumes that the user is in the default domain name or the mandatory authentication domain slot slot number Specifies a card by its slot number The slot number argument re...

Page 38: ...e aaa 123 rather than aaa 123 dom For 802 1X users whose usernames use a forward slash or backward slash as the domain name delimiter you cannot query the connections by username For example the display connection user name aaa bbb command cannot display the connections of the user aaa bbb Examples Display information about all AAA user connections Sysname display connection Slot 0 Index 0 Usernam...

Page 39: ...the format username domain MAC MAC address of the user IP IPv4 address of the user IPv6 IPv6 address of the user Access User access type ACL Group Authorization ACL group When no authorization ACL group is assigned this field displays Disable User Profile Authorization user profile CAR kbps Authorized CAR parameters SessionTimeout Session timeout value received from the server in seconds The value...

Page 40: ... string of 1 to 256 characters Usage guidelines If you do not specify any ISP domain the command displays the configuration of all ISP domains Examples Display the configuration of all ISP domains Sysname display domain 0 Domain system State Active Access limit Disabled Accounting method Required Default authentication scheme local Default authorization scheme local Default accounting scheme local...

Page 41: ...n access authorization scheme Authorization method for LAN users Lan access accounting scheme Accounting method for LAN users Domain User Template Indicates some functions and attributes set for users in the domain Idle cut Indicates whether the idle cut function is enabled With the idle cut function enabled for a domain the system logs out any user in the domain whose traffic is less than the spe...

Page 42: ... domains are in active state when they are created The system predefined ISP domain system cannot be deleted but you can modify its configuration To delete the ISP domain that is used as the default ISP domain you must first change it to a non default ISP domain by using the undo domain default enable command Examples Create ISP domain test and enter ISP domain view Sysname system view Sysname dom...

Page 43: ...te a new ISP domain named test and configure it as the default ISP domain Sysname system view Sysname domain test Sysname isp test quit Sysname domain default enable test Related commands domain state display domain domain if unknown Use domain if unknown to specify an ISP domain for users with unknown domain names Use undo domain if unknown to restore the default Syntax domain if unknown isp name...

Page 44: ...and set the relevant parameters Use undo idle cut enable to restore the default Syntax idle cut enable minute flow undo idle cut enable Default The function is disabled Views ISP domain view Default command level 2 System level Parameters minute Idle timeout period ranging from 1 to 600 minutes flow Minimum traffic during the idle timeout period in bytes It ranges from 1 to 10240000 and defaults t...

Page 45: ...n also configure an address pool for PPP users in system view An IP address pool configured in system view is used to assign IP addresses to PPP users who do not need to be authenticated To specify the address pool used for assigning an IP address to the peer device use the remote address command in interface view An IP address pool configured in ISP domain view is used to assign IP addresses to t...

Page 46: ...the NAS ID ranging from 1 to 4094 Usage guidelines In a NAS ID profile view you can configure multiple NAS ID VLAN bindings A NAS ID can be bound with more than one VLAN but one VLAN can be bound with only one NAS ID If you bind a VLAN with different NAS IDs only the last binding takes effect Examples Bind NAS ID 222 with VLAN 2 Sysname system view Sysname aaa nas id profile aaa Sysname nas id pro...

Page 47: ...rvice session time include idle time Use session time include idle time to include the idle cut time in the user online time to be uploaded to the server Use undo session time include idle time to restore the default Syntax session time include idle time undo session time include idle time Default The user online time uploaded to the server excludes the idle cut time Views ISP domain view Default ...

Page 48: ...quest network services block Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services Usage guidelines By blocking an ISP domain you disable offline users of the domain from requesting network services The online users are not affected Examples Place the ISP domain test to the blocked state Sysname system view Sysname domain test Sysname isp test s...

Page 49: ...tes for the local user or user group After the local user or a local user of the user group passes authentication the device assigns these attributes to the user Use undo authorization attribute to remove authorization attributes and restore the defaults Syntax authorization attribute acl acl number callback number callback number idle cut minute level level user profile profile name user role gue...

Page 50: ...ticated security log administrator can manage security log files The commands that a security log administrator can use are described in the information center commands For more information see Network Management and Monitoring Command Reference vlan vlan id Specifies the authorized VLAN where vlan id ranges from 1 to 4094 After passing authentication a local user can access the resources in this ...

Page 51: ...ecifies the IP address of the user location port slot number subslot number port number Specifies the port to which the user is bound The slot number argument ranges from 0 to 255 the subslot number argument ranges from 0 to 15 and the port number argument ranges from 0 to 255 mac mac address Specifies the MAC address of the user in the format H H H vlan vlan id Specifies the VLAN to which the use...

Page 52: ...word is supported only on SAP interface modules portal Portal users ppp PPP users ssh SSH users telnet Telnet users This keyword is not supported in FIPS mode terminal Users logging in through the console port AUX port or Asyn port state active block Specifies local users in active or blocked state A local user in active state can access network services but a local user in blocked state cannot us...

Page 53: ...Max AccessNum 300 User group system Bind attributes IP address 1 2 3 4 Bind location 0 4 1 SLOT SUBSLOT PORT MAC address 00 01 00 02 00 03 Vlan ID 100 Authorization attributes Idle TimeOut 10 min Work Directory cfa0 User Privilege 3 Acl ID 2000 Vlan ID 100 User Profile prof1 Expiration date 12 12 12 2018 09 16 Password aging Enabled 30 days Password length Enabled 4 characters Password composition...

Page 54: ... AccessNum Number of connections that currently use the username either for all cards or for a specified card Max AccessNum Maximum number of concurrent connections of the username Bind attributes Binding attributes of the local user VLAN ID VLAN to which the local user is bound User Profile User profile for local user authorization Calling Number Calling number of the ISDN user Authorization attr...

Page 55: ...d regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If you do not specify any user group name the command displays the configuration of all user groups Examples Display the configuration of user group abc Sysname display user group abc The contents of user group abc Authorization attributes Idle cut 120 min Work Dir...

Page 56: ...SS YYYY MM DD MM DD YYYY HH MM SS or YYYY MM DD HH MM SS HH MM SS indicates the time where HH ranges from 0 to 23 and MM and SS range from 0 to 59 MM DD YYYY or YYYY MM DD indicates the date where YYYY ranges from 2000 to 2035 MM ranges from 1 to 12 and the range of DD depends on the month Except for the zeros in 00 00 00 leading zeros can be omitted For example 2 2 0 2008 2 2 equals 02 02 00 2008...

Page 57: ...local user 111 to user group abc Sysname system view Sysname local user 111 Sysname luser 111 group abc group attribute allow guest Use group attribute allow guest to set the guest attribute for a user group Use undo group attribute allow guest to restore the default Syntax group attribute allow guest undo group attribute allow guest Default The guest attribute is not set for a user group Views Us...

Page 58: ...ot contain any backward slash forward slash vertical bar colon asterisk question mark left angle bracket right angle bracket and at sign and cannot be a al or all all Specifies all users service type Specifies the users of a type ftp FTP users This keyword is not supported in FIPS mode lan access Users accessing the network through an Ethernet such as 802 1X users This keyword is supported only on...

Page 59: ...ing The interactive mode is available only on devices that support the password control feature For more information about password control commands see Password control configuration commands When the password control feature is enabled globally by using the password control enable command local user passwords such as the length and complexity are under the restriction of the password control fea...

Page 60: ...ser to use the FTP service The user can use the root directory of the FTP server by default This keyword is not supported in FIPS mode lan access Authorizes the user to use the LAN access service The users are mainly Ethernet users such as 802 1X users This keyword is supported only on SAP interface modules ssh Authorizes the user to use the SSH service telnet Authorizes the user to use the Telnet...

Page 61: ...ser from requesting network services Usage guidelines By blocking a user you disable the user from requesting network services No other users are affected Examples Place local user user1 to the blocked state Sysname system view Sysname local user user1 Sysname luser user1 state block Related commands local user user group Use user group to create a user group and enter its view Use undo user group...

Page 62: ...anage level Parameters time Validity time of the local user in the format HH MM SS MM DD YYYY HH MM SS YYYY MM DD MM DD YYYY HH MM SS or YYYY MM DD HH MM SS HH MM SS indicates the time where HH ranges from 0 to 23 and MM and SS range from 0 to 59 MM DD YYYY or YYYY MM DD indicates the date where YYYY ranges from 2000 to 2035 MM ranges from 1 to 12 and the range of DD depends on the month Except fo...

Page 63: ...send times Maximum number of accounting on packet transmission attempts ranging from 1 to 255 The default is 50 Usage guidelines The accounting on feature enables the device after rebooting to automatically send an accounting on message to the RADIUS accounting server indicated by the RADIUS scheme to stop accounting for and log out online users Parameters set with the accounting on enable command...

Page 64: ...display connection data flow format RADIUS scheme view Use data flow format to set the traffic statistics unit for data flows or packets Use undo data flow format to restore the default Syntax data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet undo data flow format data packet Default The unit for data flows is byte and that for data pack...

Page 65: ...DIUS scheme this command displays the configuration of all RADIUS schemes slot slot number Specifies a card by its slot number The slot number argument represents the slot number of the card If you do not specify a card this command displays the configuration of the RADIUS schemes on the active MPU In standalone mode chassis chassis number slot slot number Specifies a card on an IRF member device ...

Page 66: ...ort 1812 State active Encryption Key N A VPN instance N A Probe username N A Probe interval N A Second Acct Server IP 1 1 2 1 Port 1813 State block Encryption Key N A VPN instance N A Auth Server Encryption Key Acct Server Encryption Key N A VPN instance N A Accounting On packet disable send times 50 interval 3s Interval for timeout second 3 Retransmission times for timeout 3 Interval for realtime...

Page 67: ...s specified for the server this field does not appear Probe username Username used for server status detection Probe interval Server status detection interval in minutes Auth Server Encryption Key Shared key for secure authentication communication displayed as a series of asterisks If no shared key is configured this field displays N A Acct Server Encryption Key Shared key for secure accounting co...

Page 68: ...nt represents the slot number of the card In standalone mode chassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device and the slot number argument represents the slot number of the card In IRF mode Filters command output by specifying a regular expression For more information about regular express...

Page 69: ... 503 Succ 1006 Realtime Account timer Num 0 Err 0 Succ 0 PKT response Num 23 Err 0 Succ 23 Session ctrl pkt Num 0 Err 0 Succ 0 Normal author request Num 0 Err 0 Succ 0 Set policy result Num 0 Err 0 Succ 0 Accounting on request Num 0 Err 0 Succ 0 Accounting on response Num 0 Err 0 Succ 0 Dynamic Author Ext request Num 0 Err 0 Succ 0 RADIUS sent messages statistic Auth accept Num 10 Auth reject Num ...

Page 70: ...of packets received Resend Times Number of transmission attempts Resend total Number of packets retransmitted RADIUS received packets statistic Statistics for RADIUS packets received by the RADIUS module Code Packet type Num Total number of packets Err Number of packets that the device failed to process Succ Number of messages that the device successfully processed Running statistic Statistics for...

Page 71: ... packets for indicating memory allocation failures State Mismatch Number of packets for indicating mismatching status Other_Error Number of packets for indicating other types of errors No response acct stop packet Number of times that no response was received for stop accounting packets Discarded No response acct stop packet for buffer overflow Number of stop accounting packets that were buffered ...

Page 72: ...e information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive strin...

Page 73: ... cipher Sets a ciphertext shared key simple Sets a plaintext shared key key Specifies the shared key string This argument is case sensitive If simple is specified it must be a string of 1 to 64 characters If cipher is specified it must be a ciphertext string of 1 to 117 characters If neither cipher nor simple is specified you set a plaintext shared key string In FIPS mode the shared key must be a ...

Page 74: ...w If the radius nas ip command is not configured the source IP address is the IP address of the outbound interface Views RADIUS scheme view Default command level 2 System level Parameters ipv4 address IPv4 address in dotted decimal notation It must be an address of the device and cannot be 0 0 0 0 255 255 255 255 a class D address or a class E address ipv6 ipv6 address Specifies an IPv6 address It...

Page 75: ...em level Parameters ipv4 address Specifies the IPv4 address of the primary RADIUS accounting server ipv6 ipv6 address Specifies the IPv6 address of the primary RADIUS accounting server which must be a valid global unicast address port number Specifies the service port number of the primary RADIUS accounting server which is a UDP port number ranging from 1 to 65535 and defaults to 1813 key cipher s...

Page 76: ...server in active state from the new primary server on If you remove an accounting server being used by users the device can no longer send real time accounting requests or stop accounting requests for the users and it does not buffer the stop accounting requests Examples For RADIUS scheme radius1 set the IP address of the primary accounting server to 10 110 1 2 the UDP port to 1813 and the shared ...

Page 77: ...ettings of the primary RADIUS authentication authorization server are the same as those configured on the server The shared key configured by this command takes precedence over that configured by using the key authentication cipher simple key command For secrecy all shared keys including keys configured in plain text are saved in cipher text The IP addresses of the authentication authorization ser...

Page 78: ... detection of the primary authentication authorization server to test and set the server status detection interval to 120 minutes Sysname system view Sysname radius scheme radius1 Sysname radius radius1 primary authentication 10 110 1 1 probe username test interval 120 Related commands key RADIUS scheme view vpn instance RADIUS scheme view radius client Use radius client enable to enable the RADIU...

Page 79: ...f the device and cannot be a link local address vpn instance vpn instance name Specifies the MPLS L3VPN to which the source IPv4 address belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters With a VPN specified the command specifies a private network source IPv4 address With no VPN specified the command specifies a public network source IPv4 address Usage guideli...

Page 80: ...3 Manage level Parameters radius scheme name RADIUS scheme name a case insensitive string of 1 to 32 characters Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time A RADIUS scheme referenced by ISP domains cannot be removed Examples Create a RADIUS scheme named radius1 and enter RADIUS scheme view Sysname system view Sysname radius scheme radius1 Sysname...

Page 81: ...IUS a NAS sends a trap message in the following cases When the status of a RADIUS server changes If a NAS sends a request but receives no response before the maximum number of attempts is exceeded it places the server to the blocked state and sends a trap message If a NAS receives a response from a RADIUS server it considered unreachable it considers that the RADIUS server is reachable again and a...

Page 82: ...ommand level 2 System level Parameters radius scheme radius scheme name Specifies buffered stop accounting requests that are destined for the accounting server defined in a RADIUS scheme The RADIUS scheme name is a case insensitive string of 1 to 32 characters session id session id Specifies the stop accounting requests buffered for a session The session ID is a string of 1 to 50 characters time r...

Page 83: ...d level 2 System level Parameters retry times Maximum number of RADIUS packet transmission attempts ranging from 1 to 20 Usage guidelines Because RADIUS uses UDP packets to transmit data the communication is not reliable If the device does not receive a response to its request from the RADIUS server within the response timeout period it retransmits the RADIUS request If the number of transmission ...

Page 84: ...he user The maximum number of accounting attempts together with some other parameters controls how the NAS sends accounting request packets Suppose that the RADIUS server response timeout period is 3 seconds set with the timer response timeout command the maximum number of RADIUS packet transmission attempts is 3 set with the retry command the real time accounting interval is 12 minutes set with t...

Page 85: ...mand the maximum number of transmission attempts is five set with the retry command and the maximum number of stop accounting request transmission attempts is 20 set with the retry stop accounting command For each stop accounting request if the device receives no response within 3 seconds it retransmits the request If it receives no responses after retransmitting the request five times it consider...

Page 86: ...d you set a plaintext shared key string vpn instance vpn instance name Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option Usage guidelines Make sure the port number and shared key settings of the secondary RADIUS accounting ...

Page 87: ...110 1 1 the UDP port to 1813 and the shared key to c 3 NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text Sysname system view Sysname radius scheme radius2 Sysname radius radius2 secondary accounting 10 110 1 1 1813 key cipher c 3 NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B Related commands key RADIUS scheme view vpn instance RADIUS scheme view secondary authentication RADIUS scheme view Use secondary authentic...

Page 88: ...imple key command For secrecy all shared keys including keys configured in plain text are saved in cipher text If the specified server resides on an MPLS VPN specify the VPN by using the vpn instance vpn instance name option The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme You can configure up to 16 secondary RADIUS authentication authorization server...

Page 89: ...cation 10 110 1 2 1812 key simple hello For RADIUS scheme radius2 set the IP address of the secondary authentication authorization server to 10 110 1 2 the UDP port to 1812 and the shared key to c 3 NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text Sysname system view Sysname radius scheme radius2 Sysname radius radius2 secondary authentication 10 110 1 2 1812 key cipher c 3 NMCbVjyIutaV6csCOGp4zsKR...

Page 90: ...re the default Syntax server type extended standard undo server type Default The supported RADIUS server type is standard Views RADIUS scheme view Default command level 2 System level Parameters extended Specifies the extended RADIUS server generally running on IMC which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the propr...

Page 91: ...to blocked starts a quiet timer for the server and then tries to communicate with a secondary server in active state a secondary RADIUS server configured earlier has a higher priority When the quiet timer of the primary server times out the status of the server changes to active automatically If you set the status of the server to blocked before the quiet timer times out the status of the server c...

Page 92: ... next secondary server in active state a secondary RADIUS server configured earlier has a higher priority When the quiet timer of a server times out the status of the server changes to active automatically If you set the status of the server to blocked before the quiet timer times out the status of the server cannot change back to active automatically unless you set the status to active manually I...

Page 93: ...stop accounting buffer timer quiet RADIUS scheme view Use timer quiet to set the quiet timer for servers Use undo timer quiet to restore the default Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes Views RADIUS scheme view Default command level 2 System level Parameters minutes Server quiet period in minutes ranging from 0 to 255 If you set this argument to ...

Page 94: ...realtime accounting Default The real time accounting interval is 12 minutes Views RADIUS scheme view Default command level 2 System level Parameters minutes Real time accounting interval in minutes The value can be 0 or a multiple of 3 ranging from 3 to 60 Usage guidelines For real time accounting a NAS must transmit the accounting information of online users to the RADIUS accounting server period...

Page 95: ...S scheme view Default command level 2 System level Parameters seconds RADIUS server response timeout period in seconds ranging from 1 to 10 Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request authentication authorization or accounting request it resends the request so that the user has more opportunity to obtain the RADIUS servic...

Page 96: ...an ISP domain name Before sending a username including a domain name to such a RADIUS server the device must remove the domain name This command allows you to specify whether to include a domain name in a username to be sent to a RADIUS server If a RADIUS scheme defines that the username is sent without the ISP domain name do not apply the RADIUS scheme to more than one ISP domain avoiding the con...

Page 97: ...traffic statistics unit for data flows or packets Use undo data flow format to restore the default Syntax data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet undo data flow format data packet Default The unit for data flows is byte and that for data packets is one packet Views HWTACACS scheme view Default command level 2 System level Param...

Page 98: ...e HWTACACS scheme Without this keyword the command displays the configuration of the HWTACACS scheme slot slot number Specifies a card by its slot number The slot number argument represents the slot number of the card If you do not specify a card this command displays the HWTACACS scheme configuration on MPUs In standalone mode chassis chassis number slot slot number Specifies a card on an IRF mem...

Page 99: ...onse timeout interval sec 5 Acct stop PKT retransmit times 100 Username format with domain Data traffic unit B Packet traffic unit one packet Table 8 Command output Field Description HWTACACS server template name Name of the HWTACACS scheme Primary authentication server IP address and port number of the primary authentication server If no primary authentication server is specified this field displ...

Page 100: ...Slot 0 HWTACACS template gy primary authentication HWTACACS server open number 10 HWTACACS server close number 10 HWTACACS authen client access request packet number 10 HWTACACS authen client access response packet number 6 HWTACACS authen client unknown type number 0 HWTACACS authen client timeout number 4 HWTACACS authen client packet dropped number 4 HWTACACS authen client access request change...

Page 101: ...number 0 HWTACACS account client unknown type number 0 HWTACACS account client timeout number 0 HWTACACS account client packet dropped number 0 HWTACACS account client request command level number 0 HWTACACS account client request connection number 0 HWTACACS account client request EXEC number 0 HWTACACS account client request network number 0 HWTACACS account client request system event number 0 ...

Page 102: ...ied regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display information about the stop accounting requests buffered for HWTACACS scheme hwt1 on the card in slot 0 In standalone mode Sysname display stop accounting buffer hwtacacs scheme hwt1 slot 0 Slo...

Page 103: ... If it is not the server drops the packet You can specify up to one public network source IP address and 15 private network source IP addresses A newly specified public network source IP address overwrites the previous one Each VPN can have only one private network source IP address specified A private network source IP address newly specified for a VPN overwrites the previous one The setting conf...

Page 104: ...unting Sets the shared key for secure HWTACACS accounting communication authentication Sets the shared key for secure HWTACACS authentication communication authorization Sets the shared key for secure HWTACACS authorization communication cipher Sets a ciphertext shared key simple Sets a plaintext shared key key Specifies the shared key string This argument is case sensitive If simple is specified ...

Page 105: ...p to restore the default Syntax nas ip ip address undo nas ip Default The source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas ip command in system view If the hwtacacs nas ip command is not configured the source IP address is the IP address of the outbound interface Views HWTACACS scheme view Default command level 2 System level Parameters ip address IP address in do...

Page 106: ...unting server in dotted decimal notation The default is 0 0 0 0 port number Service port number of the primary HWTACACS accounting server It is a TCP port in the range of 1 to 65535 and defaults to 49 vpn instance vpn instance name Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the ...

Page 107: ...t number Service port number of the primary HWTACACS authentication server It is a TCP port in the range of 1 to 65535 and defaults to 49 vpn instance vpn instance name Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option ...

Page 108: ...Service port number of the primary HWTACACS authorization server It is a TCP port in the range of 1 to 65535 and defaults to 49 vpn instance vpn instance name Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option Usage guide...

Page 109: ...level Parameters accounting Specifies the HWTACACS accounting statistics all Specifies all HWTACACS statistics authentication Specifies the HWTACACS authentication statistics authorization Specifies the HWTACACS authorization statistics slot slot number Specifies a card by its slot number The slot number argument represents the slot number of the card In standalone mode chassis chassis number slot...

Page 110: ...hassis chassis number slot slot number Specifies a card on an IRF member device The chassis number argument represents the member ID of the IRF member device and the slot number argument represents the slot number of the card In IRF mode Examples Clear the stop accounting requests buffered for HWTACACS scheme hwt1 Sysname reset stop accounting buffer hwtacacs scheme hwt1 Related commands stop acco...

Page 111: ...he secondary HWTACACS accounting server in dotted decimal notation The default is 0 0 0 0 port number Service port number of the secondary HWTACACS accounting server It is a TCP port in the range of 1 to 65535 and defaults to 49 vpn instance vpn instance name Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs to The vpn instance name argument is a case sensitive str...

Page 112: ...ver in dotted decimal notation The default is 0 0 0 0 port number Service port number of the secondary HWTACACS authentication server It is a TCP port in the range of 1 to 65535 and defaults to 49 vpn instance vpn instance name Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If th...

Page 113: ...erver It is a TCP port in the range of 1 to 65535 and defaults to 49 vpn instance vpn instance name Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs The vpn instance name argument is a case sensitive string of 1 to 31 characters If the server is on the public network do not specify this option Usage guidelines The IP addresses of the primary and secondary autho...

Page 114: ...AS must make its best effort to send every stop accounting request to the HWTACACS accounting servers For each stop accounting request that receives no response in the specified period of time the NAS buffers and resends the packet until it receives a response or until the number of transmission attempts reaches the configured limit In the latter case the NAS discards the packet Examples In HWTACA...

Page 115: ...g interval Use undo timer realtime accounting to restore the default Syntax timer realtime accounting minutes undo timer realtime accounting Default The real time accounting interval is 12 minutes Views HWTACACS scheme view Default command level 2 System level Parameters minutes Real time accounting interval in minutes The value can be 0 or a multiple of 3 ranging from 3 to 60 A value of 0 means D...

Page 116: ...s undo timer response timeout Default The HWTACACS server response timeout time is 5 seconds Views HWTACACS scheme view Default command level 2 System level Parameters seconds HWTACACS server response timeout period in seconds ranging from 1 to 300 Usage guidelines HWTACACS is based on TCP When the server response timeout timer or the TCP timeout timer times out the device is disconnected from the...

Page 117: ...mand allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server If an HWTACACS scheme defines that the username is sent without the ISP domain name do not apply the HWTACACS scheme to more than one ISP domain This avoids the confusing situation in which the HWTACACS server regards two users in different ISP domains but with the same userid as one If the H...

Page 118: ...uidelines The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified Examples Specify VPN instance test for HWTACACS scheme hwt1 Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 vpn instance test Related commands display hwtacacs ...

Page 119: ...he end number and the two ports must be the same type Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lin...

Page 120: ...ode is Auto Port Control Type is Port based 802 1X Multicast trigger is enabled Mandatory authentication domain NOT configured Guest VLAN 4 Auth fail VLAN NOT configured Critical VLAN 3 Critical recovery action reinitialize Max number of on line users is 1024 EAPOL Packet Tx 1087 Rx 986 Sent EAP Request Identity Packets 943 EAP Request Challenge Packets 60 EAP Success Packets 29 Fail Packets 55 Re...

Page 121: ...er in minutes The maximum 802 1X user resource number per slot Maximum number of concurrent 802 1X user per card Total current used 802 1X resource number Total number of online 802 1X users GigabitEthernet3 0 1 is link up Status of the port In this example GigabitEthernet 3 0 1 is up 802 1X protocol is disabled Whether 802 1X is enabled on the port Proxy trap checker is disabled Whether the port ...

Page 122: ... Tx and received Rx EAPOL packets Sent EAP Request Identity Packets Number of sent EAP Request Identity packets EAP Request Challenge Packets Number of sent EAP Request Challenge packets EAP Success Packets Number of sent EAP Success packets Fail Packets Number of sent EAP Failure packets Received EAPOL Start Packets Number of received EAPOL Start packets EAPOL LogOff Packets Number of received EA...

Page 123: ...o disable 802 1X globally Use the dot1x interface command in system view or the dot1x command in interface view to enable 802 1X for specified ports Use the undo dot1x interface command in system view or the undo dot1x command in interface view to disable 802 1X for specified ports 802 1X must be enabled both globally in system view and for the intended ports in system view or interface view Other...

Page 124: ... and use the Password Authentication Protocol PAP to communicate with the RADIUS server Usage guidelines The network access device terminates or relays EAP packets In EAP termination mode The access device re encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server and performs either CHAP or PAP authentication with the RADIUS server In this mo...

Page 125: ...th fail vlan Default No Auth Fail VLAN is configured on a port Views Ethernet interface view Default command level 2 System level Parameters authfail vlan id Specifies the ID of the Auth Fail VLAN for the port in the range of 1 to 4094 Make sure that the VLAN has been created and is not a super VLAN For more information about super VLANs see Layer 2 LAN Switching Configuration Guide Usage guidelin...

Page 126: ...1 to 4094 Make sure that the VLAN has been created and is not a super VLAN For more information about super VLANs see Layer 2 LAN Switching Configuration Guide Usage guidelines You can configure only one critical VLAN on a port The MAC authentication critical VLANs on different ports can be different When you change the access control method from MAC based to port based on the port the mappings be...

Page 127: ...rt It enables the port to take one of the following actions to trigger 802 1X authentication after removing 802 1X users from the critical VLAN on detection of a reachable RADIUS authentication server If MAC based access control is used the port sends a unicast Identity EAP Request to each 802 1X user If port based access control is used the port sends a multicast Identity EAP Request to all the 8...

Page 128: ... user name user name commands are not available for 802 1X users that use or as the domain name delimiter For more information about the two commands see AAA configuration commands Examples Specify the characters and as domain name delimiters Sysname system view Sysname dot1x domain delimiter dot1x guest vlan Use dot1x guest vlan to configure an 802 1X guest VLAN for the specified or all ports A g...

Page 129: ...nterface Enable the 802 1X multicast trigger function To delete a VLAN that has been configured as a guest VLAN you must remove the guest VLAN configuration first You can configure both an Auth Fail VLAN and an 802 1X guest VLAN on a port Examples Specify VLAN 999 as the 802 1X guest VLAN for port GigabitEthernet 3 0 1 Sysname system view Sysname dot1x guest vlan 999 interface gigabitethernet 3 0 ...

Page 130: ...e dot1x handshake secure Use dot1x handshake secure to enable the online user handshake security function The function enables the device to prevent users from using illegal client software Use undo dot1x handshake secure to disable the function Syntax dot1x handshake secure undo dot1x handshake secure Default The function is disabled Views Ethernet Interface view Default command level 2 System le...

Page 131: ... and the default ISP domain To display or cut all 802 1X connections in a mandatory domain use the display connection domain isp name or cut connection domain isp name command The output from the display connection command without any parameters displays domain names entered by users at login For more information about the display connection command or the cut connection command see AAA configurat...

Page 132: ... ports The interface list argument is in the format of interface list interface type interface number to interface type interface number 1 10 where interface type represents the port type interface number represents the port number and 1 10 means that you can provide up to 10 ports or port ranges The start port number must be smaller than the end number and the two ports must be of the same type U...

Page 133: ...er undo dot1x multicast trigger Default The multicast trigger function is enabled Views Ethernet interface view Default command level 2 System level Usage guidelines You can use the dot1x timer tx period command to set the interval for sending multicast Identify EAP Request packets Examples Enable the multicast trigger function on interface GigabitEthernet 3 0 1 Sysname system view Sysname interfa...

Page 134: ...e interface number to interface type interface number 1 10 where interface type represents the port type interface number represents the port number and 1 10 means that you can provide up to 10 ports or port ranges The start port number must be smaller than the end number and the two ports must be of the same type Usage guidelines In system view if no interface is specified the command applies to ...

Page 135: ...ort list which can contain multiple Ethernet ports The interface list argument is in the format of interface list interface type interface number to interface type interface number 1 10 where interface type represents the port type interface number represents the port number and 1 10 means that you can provide up to 10 ports or port ranges for this argument The start port number must be smaller th...

Page 136: ...ticate Use dot1x re authenticate to enable the periodic online user re authentication function Use undo dot1x re authenticate to disable the function Syntax dot1x re authenticate undo dot1x re authenticate Default The periodic online user re authentication function is disabled Views Ethernet interface view Default command level 2 System level Usage guidelines Periodic re authentication enables the...

Page 137: ... 2 System level Parameters max retry value Specifies the maximum number of attempts for sending an authentication request to a client The value range is 1 to 10 Usage guidelines After the network access device sends an authentication request to a client if the device receives no response from the client within the username request timeout timer set with the dot1x timer tx period tx period value co...

Page 138: ...ports The interface list argument is in the format of interface list interface type interface number to interface type interface number 1 10 where interface type represents the port type interface number represents the port number and 1 10 means that you can provide up to 10 ports or port ranges The start port number must be smaller than the end number and the two ports must be of the same type If...

Page 139: ...5 to 1024 quiet period value Sets the quiet timer in seconds It is in the range of 10 to 120 reauth period value Sets the periodic re authentication timer in seconds It is in the range of 60 to 7200 server timeout value Sets the server timeout timer in seconds It is in the range of 100 to 300 supp timeout value Sets the client timeout timer in seconds It is in the range of 1 to 120 tx period value...

Page 140: ...st Identity packet to a client in response to an authentication request If the device receives no response before this timer expires it retransmits the request The timer also sets the interval at which the network device sends multicast EAP Request Identity packets to detect clients that cannot actively request authentication Examples Set the server timeout timer to 150 seconds Sysname system view...

Page 141: ...thernet ports The interface list argument is in the format of interface list interface type interface number to interface type interface number 1 10 where interface type represents the port type interface number represents the port number and 1 10 means that you can provide up to 10 ports or port ranges The start port number must be smaller than the end number and the two ports must be of the same...

Page 142: ...ameters ip address Specifies a freely accessible IP address segment also called a free IP mask Specifies an IP address mask mask length Specifies IP address mask length all Removes all free IP addresses Usage guidelines When global MAC authentication or port security is enabled the free IP does not take effect The maximum number of free IP addresses varies by device Examples Configure 192 168 0 0 ...

Page 143: ...twork to access the free IP To prevent ACL rule resources from being used up you can shorten the timer when the amount of EAD users is large Examples Set the EAD rule timer to 5 minutes Sysname system view Sysname dot1x timer ead timeout 5 Related commands display dot1x dot1x url Use dot1x url to configure a redirect URL When a user uses a Web browser to access networks other than the free IP the ...

Page 144: ... dot1x url command multiple times the last configured URL takes effect Examples Configure the redirect URL as http 192 168 0 1 Sysname system view Sysname dot1x url http 192 168 0 1 Related commands display dot1x dot1x free ip ...

Page 145: ...erface number portion comprises only one port Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that ...

Page 146: ...d this field displays mac Fixed password Password of the shared account for MAC authentication users If MAC based accounts are used or if a shared account is used but no password is configured this field displays not configured If a shared account is used and a password is configured this field displays Offline detect period Setting of the offline detect timer Quiet period Setting of the quiet tim...

Page 147: ... system view to enable MAC authentication on a list of ports or use mac authentication in interface view to enable MAC authentication on a port Use undo mac authentication in system view to disable MAC authentication globally Use undo mac authentication interface interface list in system view to disable MAC authentication on a list of ports or use undo mac authentication in interface view to disab...

Page 148: ...domain in interface view for MAC authentication users Use undo mac authentication domain to restore the default Syntax mac authentication domain domain name undo mac authentication domain Default The default authentication domain is used for MAC authentication users For more information about the default authentication domain see the domain default enable command in AAA configuration commands View...

Page 149: ...undo mac authentication max user Default The maximum number of concurrent MAC authentication users on a port is 1024 Views Interface view Default command level 2 System level Parameters user number Specifies a maximum number of concurrent MAC authentication users on the port The value range is 1 to 1024 Examples Configure port GigabitEthernet 3 0 1 to support up to 32 concurrent MAC authentication...

Page 150: ...out server timeout value Sets the server timeout timer in seconds in the range of 100 to 300 This timer sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable If the timer expires during MAC authentication the user cannot access the network Examples Set the server timeout timer to 150 seconds Sysname system view Sysname ma...

Page 151: ...ser account for each user A user can pass MAC authentication only when its MAC address matches a MAC based user account This method is suitable for an insecure environment One shared user account for all users Any user can pass MAC authentication on any MAC authentication enabled port You can use this method in a secure environment to limit network resources accessible to MAC authentication users ...

Page 152: ... start port and end port of a port range must be of the same type and the end port number must be greater than the start port number A port range defined without the to interface type interface number portion comprises only one port Usage guidelines If no port list is specified the command clears all global and port specific MAC authentication statistics If a port list is specified the command cle...

Page 153: ...r sending probe packets in the range of 5 to 120 in seconds idle time idletime Specifies the user idle timeout If the interface receives no user traffic within the configured idle time the specified probe begins The value range for the idletime argument is 1 to 600 minutes and the default is 3 minutes Usage guidelines When this function is configured on an interface the interface starts an idle ti...

Page 154: ... on the specified interface Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specifie...

Page 155: ...255 Port any Rule 2 Inbound interface GigabitEthernet3 0 1 Type static Action redirect Protocol 0 Source IP 0 0 0 0 Mask 0 0 0 0 Port any MAC 0000 0000 0000 Interface any VLAN 2 Destination IP 0 0 0 0 Mask 0 0 0 0 Port 80 Rule 3 Inbound interface GigabitEthernet3 0 1 Type dynamic Action permit Source IP 2 2 2 2 Mask 255 255 255 255 MAC 000d 88f8 0eab Interface GigabitEthernet3 0 1 VLAN 0 Protocol ...

Page 156: ... portal ACL Protocol Protocol type in the portal ACL Destination Destination information in the portal ACL IP Destination IP address in the portal ACL Port Destination transport layer port number in the portal ACL Mask Subnet mask of the destination IP address in the portal ACL Author ACL Authorization ACL information It is displayed only when the value of the Type field is dynamic Number Authoriz...

Page 157: ...istics on interface GigabitEthernet 3 0 1 Sysname display portal connection statistics interface gigabitethernet 3 0 1 Interface GigabitEthernet3 0 1 User state statistics State Name User Num VOID 0 DISCOVERED 0 WAIT_AUTHEN_ACK 0 WAIT_AUTHOR_ACK 0 WAIT_LOGIN_ACK 0 WAIT_ACL_ACK 0 WAIT_NEW_IP 0 WAIT_USERIPCHANGE_ACK 0 ONLINE 1 WAIT_LOGOUT_ACK 0 WAIT_LEAVING_ACK 0 Message statistics Msg Name Total Er...

Page 158: ...ledgment message MSG_LOGOUT_ACK Accounting stop acknowledgment message MSG_LEAVING_ACK Leaving acknowledgment message MSG_CUT_REQ Cut request message MSG_AUTH_REQ Authentication request message MSG_LOGIN_REQ Accounting request message MSG_LOGOUT_REQ Accounting stop request message MSG_LEAVING_REQ Leaving request message MSG_ARPPKT ARP message MSG_PORT_REMOVE Users of a Layer 2 port removed message...

Page 159: ...de regular expression Views Any view Default command level 1 Monitor level Parameters rule number Specifies the number of a portal free rule in the range of 0 to 1023 Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines t...

Page 160: ...t Source transport layer port number in the portal free rule MAC Source MAC address in the portal free rule Interface Source interface in the portal free rule Vlan Source VLAN in the portal free rule Destination Destination information in the portal free rule IP Destination IP address in the portal free rule Mask Subnet mask of the destination IP address in the portal free rule Port Destination tr...

Page 161: ...pe Layer3 Authentication domain my domain Authentication network Source IP 1 1 1 1 Mask 255 255 0 0 Destination IP 11 1 1 0 Mask 255 255 255 0 Table 15 Command output Field Description Portal configuration of interface Portal configuration on the interface IPv4 IPv4 portal configuration Status Status of the portal authentication on the interface Portal disabled Portal authentication is disabled Po...

Page 162: ...n include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display information about portal server aaa Sysname display portal server aaa Portal server 1 aaa IP 192 168 0 111 VPN instance vpn1 Port 50100 Key URL http 192 168 0 111 Server Type IMC Status Up Table 16 Command output ...

Page 163: ...xpression Views Any view Default command level 1 Monitor level Parameters all Specifies all interfaces interface interface type interface number Specifies an interface by its type and name Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expr...

Page 164: ... Description Interface Interface referencing the portal server Invalid packets Number of invalid packets Pkt Name Packet type Total Total number of packets Discard Number of discarded packets Checkerr Number of erroneous packets REQ_CHALLENGE Challenge request message the portal server sent to the access device ACK_CHALLENGE Challenge acknowledgment message the access device sent to the portal ser...

Page 165: ...the portal server ACK_NTF_USERSYNC User synchronization acknowledgment packet the access device sent to the portal server NTF_CHALLENGE Challenge request the access device sent to the portal server NTF_USER_NOTIFY User information notification message the access device sent to the portal server AFF_NTF_USER_NOTIFY NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server N...

Page 166: ...ived 0 Packets Sent 0 Packets Retransmitted 0 Packets Dropped 0 HTTP Packets Sent 0 Connection State SYN_RECVD 0 ESTABLISHED 0 CLOSE_WAIT 0 LAST_ACK 0 FIN_WAIT_1 0 FIN_WAIT_2 0 CLOSING 0 Table 18 Command output Field Description TCP Cheat Statistic TCP spoofing statistics Total Opens Total number of opened connections Resets Connections Number of connections reset through RST packets Current Opens...

Page 167: ...mand output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression...

Page 168: ...nfigure a portal authentication source subnet on an interface You can use this command to configure multiple portal authentication source subnets on an interface Then only HTTP packets from the subnets can trigger portal authentication on the interface If an unauthenticated user is not on any authentication source subnet the access device discards all the user s HTTP packets that do not match any ...

Page 169: ...uth network destination Use portal auth network destination to configure an authentication destination subnet on an interface Then only users accessing the specified subnet excluding the destination IP addresses and subnets specified in portal free rules trigger portal authentication on the interface Users can access other networks through the interface without portal authentication Use undo porta...

Page 170: ...gabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 portal auth network destination 2 2 2 0 24 portal delete user Use portal delete user to log off portal users Syntax portal delete user ip address all interface interface type interface number Views System view Default command level 2 System level Parameters ip address Logs off the portal user with the specified IPv4 address all Logs off all portal u...

Page 171: ...domain Use portal domain to specify an authentication domain for portal users on an interface Then the device uses the authentication domain for authentication authorization and accounting AAA of the portal users on the interface Use undo portal domain to delete the authentication domain specified for portal users Syntax portal domain domain name undo portal domain Default No authentication domain...

Page 172: ...the range of 0 to 32 tcp tcp port number to tcp port number Specifies a range of TCP port numbers The value range for the tcp port number argument is 0 to 65535 udp udp port number to udp port number Specifies a range of UDP port numbers The value range for the udp port number argument is 0 to 65535 interface interface type interface number Specifies a source interface mac mac address Specifies a ...

Page 173: ...tal max user to set the maximum number of online portal users allowed in the system Use undo portal max user to restore the default Syntax portal max user max number undo portal max user Default The maximum number of portal users is that supported by the system Views System view Default command level 2 System level Parameters max number Maximum number of online portal users allowed in the system T...

Page 174: ... interface view If no NAS ID is configured for the interface the device uses the NAS ID configured in system view Examples Specify the NAS ID of a RADIUS request to be sent on GigabitEthernet 3 0 1 as 0002053110000460 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 portal nas id 0002053110000460 portal nas id profile Use portal nas id profile to specify a N...

Page 175: ...as ip to delete the specified source IP address Syntax portal nas ip ip address undo portal nas ip Default No source IP address is specified for outgoing portal packets on an interface and the interface uses the IP address of the user access interface as the source IP address for outgoing portal packets Views Interface view Default command level 2 System level Parameters ip address Specifies a sou...

Page 176: ...sends a RADIUS request that carries the NAS Port ID attribute to the RADIUS server Examples Specify the NAS Port ID value of GigabitEthernet 3 0 1 as ap1 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 portal nas port id ap1 portal nas port type Use portal nas port type to specify the access port type indicated by the NAS Port Type value on the current inte...

Page 177: ...ess bar before portal authentication Views System view Default command level 2 System level Parameters url string Autoredirection URL for authenticated portal users a string of 1 to 127 characters It must start with http or https and must be a fully qualified URL Usage guidelines To use this feature for remote Layer 3 portal authentication the portal server must be an IMC portal server that suppor...

Page 178: ...The default is imc cmcc CMCC portal server To use a CMCC portal server you must also specify a device ID for the access device by using the portal device id command imc IMC portal server url url string Specifies the uniform resource locator URL to which HTTP packets are to be redirected The default URL is in the http ip address format where ip address is the IP address of the portal server You can...

Page 179: ...erver server name method direct layer3 redhcp undo portal Default Layer 3 portal authentication is disabled on an interface Views Interface view Default command level 2 System level Parameters server name Name of a portal server a case sensitive string of 1 to 32 characters method Specifies the authentication mode to be used direct Direct authentication layer3 Cross subnet authentication redhcp Re...

Page 180: ...the portal server heartbeat function you can configure the device to use the HTTP probe method to detect the reachability of the portal server portal heartbeat Probes portal heartbeat packets Portal servers periodically send portal heartbeat packets to the access devices If the access device receives a portal heartbeat packet from a portal server within the specified interval the access device con...

Page 181: ... server for multiple times the last configuration takes effect If you do not specify an optional parameter the default setting of the parameter is used The portal server detection function takes effect only when the portal server is referenced on an interface Authentication related packets from a portal server such as logon requests and logoff requests have the same effect as the portal heartbeat ...

Page 182: ...n on the portal server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the device Deleting a portal server on the device will delete the portal user synchronization configuration with the portal server If you configure the user synchronization function for a portal server for multiple times ...

Page 183: ...ax reset portal server statistics all interface interface type interface number Views User view Default command level 1 Monitor level Parameters all Specifies all interfaces interface interface type interface number Specifies an interface by its type and number Examples Clear portal server statistics on interface GigabitEthernet 3 0 1 Sysname reset portal server statistics interface gigabitetherne...

Page 184: ...pression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case...

Page 185: ... logon trap Whether trapping for 802 1X logon is enabled or not If it is enabled the port sends trap information after a user passes 802 1X authentication Dot1x logoff trap Whether trapping for 802 1X logoff is enabled or not If it is enabled the port sends trap information after an 802 1X user logs off Dot1x logfailure Whether trapping for 802 1X authentication failure is enabled or not If it is ...

Page 186: ...blePort Shuts down the port that receives illegal packets permanently DisablePortTemporarily Shuts down the port that receives illegal packets for some time NoAction Performs no intrusion protection Max MAC address number Maximum number of MAC addresses that port security allows on the port Stored MAC address number Number of MAC addresses stored Authorization Whether the authorization information...

Page 187: ...a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expre...

Page 188: ...nd 1 mac address es found Display information about all blocked MAC addresses of port GigabitEthernet 3 0 1 in VLAN 30 Sysname display port security mac address block interface gigabitethernet 3 0 1 vlan 30 MAC ADDR From Port VLAN ID 000f 3d80 0d2d GigabitEthernet3 0 1 30 On slot 3 1 mac address es found 1 mac address es found Table 21 Command output Field Description MAC ADDR Blocked MAC address ...

Page 189: ...n Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines With no keyword or argument...

Page 190: ... Table 22 Command output Field Description MAC ADDR Secure MAC address VLAN ID ID of the VLAN to which the port belongs STATE Type of the MAC address added Security means it is a secure MAC address PORT INDEX Port to which the secure MAC address belongs AGING TIME Period of time before the secure MAC address ages out NOAGED is displayed for secure MAC addresses 2 mac address es found Number of sec...

Page 191: ...curity enable to enable port security Use undo port security enable to disable port security Syntax port security enable undo port security enable Default Port security is disabled Views System view Default command level 2 System level Usage guidelines You must disable global 802 1X and MAC authentications before you enable port security on a port Enabling or disabling port security resets the fol...

Page 192: ... To view the blocked MAC address list use the display port security mac address block command disableport Disables the port permanently upon detecting an illegal frame received on the port disableport temporarily Disables the port for a specific period of time whenever it receives an illegal frame Use port security timer disableport to set the period Usage guidelines To restore the connection of t...

Page 193: ...ddresses on interface GigabitEthernet 3 0 1 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 port security mac address aging type inactivity Related commands port security timer autolearn aging port security mac address dynamic port security mac address dynamic Use port security mac address dynamic to enable the dynamic secure MAC function This function conv...

Page 194: ...ac address security to remove a secure MAC address Syntax In Layer 2 Ethernet interface view port security mac address security sticky mac address vlan vlan id undo port security mac address security sticky mac address vlan vlan id In system view port security mac address security sticky mac address interface interface type interface number vlan vlan id undo port security mac address security mac ...

Page 195: ...ity 1 1 1 vlan 10 entry exists To add the new entry you must delete the old entry To enable port security on a port use the port security enable command and to set the port in autoLearn mode use the port security port mode autolearn command When the dynamic secure MAC function is enabled using the port security mac address dynamic command you cannot manually configure sticky MAC addresses Examples...

Page 196: ...X MAC authentication or both this command sets the maximum number of authenticated MAC addresses on the port The actual maximum number of concurrent users that the port accepts equals this limit or the authentication method s limit on the number of concurrent users whichever is smaller For example in userLoginSecureExt mode if 802 1X allows less concurrent users than port security s limit on the n...

Page 197: ...xamples Set the NTK mode of port GigabitEthernet 3 0 1 to ntkonly allowing the port to forward received packets to only devices passing authentication Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 port security ntk mode ntkonly Related commands display port security port security oui Use port security oui to configure an OUI value for user authentication ...

Page 198: ...e userlogin secure ext userlogin secure or mac userlogin secure or mac ext userlogin withoui undo port security port mode Default A port operates in noRestrictions mode where port security does not take effect Views Interface view Default command level 2 System level Parameters Keyword Security mode Description autolearn autoLearn In this mode a port can learn MAC addresses and allows frames sourc...

Page 199: ... authentication and implements MAC based access control It services only one user passing 802 1X authentication userlogin secure ext userLoginSecureExt Similar to the userLoginSecure mode except that this mode supports multiple online 802 1X users userlogin secure or mac macAddressOrUserL oginSecure This mode is the combination of the userLoginSecure and macAddressWithRadius modes The port perform...

Page 200: ...rity timer autolearn aging Use port security timer autolearn aging to set the secure MAC aging timer The timer applies to all sticky or dynamic secure MAC addresses Use undo port security timer autolearn aging to restore the default Syntax port security timer autolearn aging time value undo port security timer autolearn aging Default Secure MAC addresses never age out Views System view Default com...

Page 201: ... as disabling the port temporarily whenever it receives an illegal frame and set the silence period to 30 seconds Sysname system view Sysname port security timer disableport 30 Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 port security intrusion mode disableport temporarily Related commands display port security port security trap Use port security trap to enable port secur...

Page 202: ...ty module sends traps when it detects illegal frames ralmlogfailure Enables MAC authentication failure traps The port security module sends traps when a MAC authentication fails ralmlogoff Enables MAC authentication user logoff traps The port security module sends traps when a MAC authentication user is logged off ralmlogon Enables MAC authentication success traps The port security module sends tr...

Page 203: ...s that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display information about all user profiles that have been created Sysname display user profile Status User profile enabled a123 Total user profiles 1 Enabled user profiles 1 Table 23 Command output Field Description Status Status of the user profi...

Page 204: ...e user profile a123 enable user profile Use user profile to create a user profile and enter user profile view If the specified user profile has been created you directly enter user profile view Use undo user profile to remove an existing disabled user profile You cannot remove a user profile that is enabled Syntax user profile profile name undo user profile profile name Default No user profiles ex...

Page 205: ...192 Enter the user profile view of a123 Sysname system view Sysname user profile a123 Sysname user profile a123 Related commands user profile enable ...

Page 206: ... Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display the global password control configuratio...

Page 207: ... authentication timeout time Maximum failed login attempts Allowed maximum number of consecutive failed login attempts for FTP and VTY users Login attempt failed action Action to be taken after a user fails to login for the specified number of attempts Minimum password update time Minimum password update interval User account idle time Maximum account idle time Login with aged password Number of t...

Page 208: ... guidelines With no arguments provided this command displays information about all users in the password control blacklist Examples Display information about users in the password control blacklist Sysname display password control blacklist Username test IP 192 168 44 1 Login failed times 1 Lock flag unlock Total 1 blacklist item s matched 1 listed Table 25 Command output Field Description Usernam...

Page 209: ...e bracket Left brace Left bracket Left parenthesis Minus sign Percent sign Plus sign Pound sign Quotation marks Right angle bracket Right brace Right bracket Right parenthesis Semi colon Slash Tilde Underscore _ Vertical bar A local user password configured in interactive mode must meet the password control requirement For example if the minimum password length is set to 8 the password must contai...

Page 210: ...the minimum password length restriction function Usage guidelines For these four functions to take effect the password control feature must be enabled globally You must enable a function for its relevant configurations to take effect For example if the minimum password length restriction function is not enabled the setting by the password control length command does not take effect The system stop...

Page 211: ... group view applies to all local users in the user group The setting in local user view applies only to the local user A password aging time setting with a smaller application range has a higher priority The system prefers to use the password aging time in local user view for a local user If no password aging time is configured for the local user the system uses the password aging time for the use...

Page 212: ...g which the user is notified of the pending password expiration The value range is 1 to 30 Examples Configure the device to notify a user about pending password expiration 10 days before the user s password expires Sysname system view Sysname password control alert before expire 10 password control authentication timeout Use password control authentication timeout to set the user authentication ti...

Page 213: ...tem level Parameters same character Refuses a password that contains any character repeated consecutively three or more times user name Refuses a password that contains the username or the reverse of the username Examples Configure the password complexity checking policy refusing any password that contains the username or the reverse of the username Sysname system view Sysname password control com...

Page 214: ...nce and apply to all user groups The settings in user group view apply to all local users in the user group The settings in local user view apply only to the local user A password composition policy with a smaller application range has a higher priority The system prefers to use the password composition policy in local user view for a local user If no policy is configured for the local user the sy...

Page 215: ...sname system view Sysname password control enable Related commands display password control password control expired user login Use password control expired user login to set the maximum number of days and maximum number of times that a user can log in after the password expires Use undo password control expired user login to restore the defaults Syntax password control expired user login delay de...

Page 216: ...l history Default The maximum number of history password records for each user is 4 Views System view Default command level 2 System level Parameters max record num Specifies the maximum number of history password records for each user The value range is 2 to 15 Examples Set the maximum number of history password records for each user to 10 Sysname system view Sysname password control history 10 p...

Page 217: ... the minimum password length restriction function is disabled the following rules apply In non FIPS mode the minimum password length is four characters and the password must have at least four different characters In FIPS mode the minimum password length is eight characters and the password must have at least four different characters Examples Set the global minimum password length to 9 characters...

Page 218: ...assword control login attempt to restore the default Syntax password control login attempt login times exceed lock lock time time unlock undo password control login attempt Default The maximum number of consecutive failed login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again Views System view Default command level 2 Syste...

Page 219: ... test IP 192 168 44 1 Login failed times 4 Lock flag lock Total 1 blacklist item s matched 1 listed The user can no longer log in Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes if the user fails to log in after two attempts Sysname system view Sysname password control login attempt 2 exceed lock time 3 Later if a user tries to log in but fails tw...

Page 220: ... password update interval 36 Related commands display password control password control super aging Use password control super aging to set the aging time for super passwords Use undo password control super aging to restore the default Syntax password control super aging aging time undo password control super aging Default The aging time for super passwords is the same as the global password aging...

Page 221: ... the type number argument is 1 to 4 in non FIPS mode The value range for the type number argument is fixed to 4 in FIPS mode type length type length Specifies the minimum number of characters that are from each character type for super passwords The value range for the type length argument is 1 to 16 Usage guidelines If you do not specify a composition policy for super passwords the system applies...

Page 222: ...e specified the minimum length of super passwords the system applies the specified minimum length to super passwords Examples Set the minimum length for super passwords to 10 characters Sysname system view Sysname password control super length 10 Related commands password control length reset password control blacklist Use reset password control blacklist to remove all or one user from the passwor...

Page 223: ...eted The name argument is a case sensitive string of 1 to 80 characters super Deletes the history records of the super password specified by the level level option or the history records of all super passwords level level Specifies a user level in the range of 1 to 3 Usage guidelines With no arguments or keywords specified this command deletes the history password records of all local users With t...

Page 224: ...stem running on the RSH server Usage guidelines The remote host must run the RSH daemon Examples Display information about the directories and files on remote host 169 254 1 100 which is running Windows 2000 Sysname rsh 169 254 1 100 command dir Trying 169 254 1 100 Press CTRL K to abort Volume in drive C is SYSTEM Volume Serial Number is 2A0F 18DF Directory of C WRSHDNT 2004 07 13 09 10 DIR 2004 ...

Page 225: ... exe 2004 01 02 15 54 196 608 wrshdsp exe 2004 01 02 15 54 102 400 wrshdnt exe 2001 07 30 18 05 766 wrshdnt ico 2004 07 13 09 10 3 253 INSTALL LOG 21 files 1 749 848 bytes 2 directories 2 817 417 216 bytes free Set the system time of remote host 169 254 1 100 which is running Windows 2000 Sysname rsh 169 254 1 100 command time Trying 169 254 1 100 Press CTRL K to abort The current time is 6 56 42 ...

Page 226: ...isplays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display the public key information of the local RS...

Page 227: ...93C52B20CD35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC 717B612391C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1585 DA7F42519718CC9B09EEF0381850002818100CCF1F78E0860BE937FD3CA07D2F2A1B66E74E5D1E16693EB 374D677A7A6124EBABD59FE48796C56F3FF919F999AEB97D1F2B83D9B98AC09BC1F72E80DBE337CB29989 A23378EB21C38EE083F11ED6DC8D4DBE001BA85450CEA071C2A471C83761E4CF3...

Page 228: ...ed the command displays detailed information about all locally saved peer public keys You can use the public key peer command or the public key peer import sshkey command to get a local copy of a peer public key Examples Display detailed information about the peer host public key named idrsa Sysname display public key peer name idrsa Key Name idrsa Key Type RSA Key Module 1024 Key Code 30819D300D0...

Page 229: ... Public key view Default command level 2 System level Related commands public key peer Examples Exit public key view Sysname system view Sysname public key peer key1 Sysname pkey public key peer public key end Sysname public key code begin Use public key code begin to enter public key code view Then enter the key data in the correct format to specify the peer public key Spaces and carriage returns...

Page 230: ...Related commands public key peer public key code end public key code end Use public key code end to return from public key code view to public key view and to save the configured public key Syntax public key code end Views Public key code view Default command level 2 System level Usage guidelines The system verifies the key before saving it If the key is not in the correct format the system discar...

Page 231: ... RSA key pair name key name Specifies a name for the key pair The key name argument is a case insensitive string of 1 to 64 characters including letters digits and hyphens If no name is specified the key pair uses the default name Table 30 Default local key pair names Type Default name RSA Host key pair hostkey Server key pair serverkey DSA dsakey Usage guidelines When using this command to create...

Page 232: ...C to abort Input the bits of the modulus default 1024 Generating Keys Create a local RSA key pair named rsa1 Sysname system view Sysname public key local create rsa name rsa1 The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Related commands public key loc...

Page 233: ...lic key local destroy dsa Warning Confirm to destroy these keys Y N y Destroy the local RSA key pair named rsa1 Sysname system view Sysname public key local destroy rsa name rsa1 Warning Destroy the key pair Continue Y N y Related commands public key local create public key local export Use public key local export to display an RSA key pair in PEM format on the terminal Syntax public key local exp...

Page 234: ...BC 7F8FAB15399DF87C MGaftNqe4esjetm7bRJHSpsbwZ9YUpvA9iWh8R406NGq8e 1A ZiK23 t1XqRwaU 1FXnwbqHgW1pZ7JxQdgBuC9uXc4VQyP xe6xCyUepdMC71fmeOaiwUFrj6LAzzBg o3SfhX1NHyHBnr7c6SnIeUTG2g qRdj40TD4HcRjgPaLaTGguZ553GyS6ODWAwL7 ZBTjv vow9kfewZ74ocoBje2gLcWlbmiEKCJGV06zW4gv2AH6I8TAhv4GovIN v1 lCsD2PscXnPOloLTE 8EDLRHNE8RpIYDWqI YI8Yg6wlx29mf29 cj 9r4gPrDPy c TQ0a0g95Khdy yl4eDKaFiQQ Kqn4zdzDTDNq7LRtqr7lGQzVw6sr...

Page 235: ...FqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k uRuuHN0bJfBkOL o2 RyGqDJIqB4FQwmrkwJuauYGqQy mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0...

Page 236: ...les Export the host public key of the local RSA key pairs in OpenSSH format to the file named key pub Sysname system view Sysname public key local export public rsa openssh key pub Display the host public key of the local RSA key pairs in SSH2 0 format Sysname system view Sysname public key local export public rsa ssh2 BEGIN SSH2 PUBLIC KEY Comment rsa key 20070625 AAAAB3NzaC1yc2EAAAADAQABAAAAgQDA...

Page 237: ...ypted with a password You are asked to provide the password when importing the key pair Examples Import an RSA key pair in PEM format name the key pair as mykey and enter 12345678 as the password Sysname system view Sysname public key local import rsa name mykey pem Enter PEM formatted certificate End with a Ctrl C on a line by itself BEGIN RSA PRIVATE KEY Proc Type 4 ENCRYPTED DEK Info DES EDE3 C...

Page 238: ...keyname Views System view Default command level 2 System level Parameters keyname Specifies a name for the peer public key on the local device a case sensitive string of 1 to 64 characters Usage guidelines To configure the peer public key on the local device obtain the public key in hexadecimal from the peer device beforehand and perform the following configurations on the local device 1 Execute t...

Page 239: ...ecifies the name of the file that saves the peer host public key For more information about file name see Fundamentals Configuration Guide Usage guidelines After execution of this command the system automatically transforms the peer host public key to the PKCS format and imports the key This operation requires that you get a copy of the public key file from the peer device through FTP or TFTP in b...

Page 240: ...cate attribute group view Default command level 2 System level Parameters id Specifies the sequence number of the certificate attribute rule in the range of 1 to 16 alt subject name Specifies the name of the alternative certificate subject fqdn Specifies the FQDN of the entity ip Specifies the IP address of the entity issuer name Specifies the name of the certificate issuer subject name Specifies ...

Page 241: ...a identifier Use ca identifier to specify the trusted CA and bind the device with the CA Use undo ca identifier to remove the configuration Syntax ca identifier name undo ca identifier Default No trusted CA is specified for a PKI domain Views PKI domain view Default command level 2 System level Parameters name Specifies a trusted CA by its name a case insensitive string of 1 to 63 characters Usage...

Page 242: ... to specify the authority for certificate request Use undo certificate request from to remove the configuration Syntax certificate request from ca ra undo certificate request from Default No authority is specified for certificate request Views PKI domain view Default command level 2 System level Parameters ca Indicates that the entity requests a certificate from a CA ra Indicates that the entity r...

Page 243: ...manual mode Usage guidelines In auto mode an entity automatically requests a certificate from an RA or CA when it has no certificate However if the certificate will expire or has expired the entity does not initiate a re request automatically in which case you need to request a new one manually In manual mode all operations associated with certificate request are performed manually For security pu...

Page 244: ... number of attempts as 40 Sysname system view Sysname pki domain 1 Sysname pki domain 1 certificate request polling interval 15 Sysname pki domain 1 certificate request polling count 40 Related commands display pki certificate certificate request url Use certificate request url to specify the URL of the server for certificate request through SCEP Use undo certificate request url to remove the conf...

Page 245: ...mmon name is specified Views PKI entity view Default command level 2 System level Parameters name Specifies a common name for the entity a case insensitive string of 1 to 31 characters No comma can be included Examples Configure the common name of an entity as test Sysname system view Sysname pki entity 1 Sysname pki entity 1 common name test country Use country to specify the code of the country ...

Page 246: ... Enables CRL checking Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked Revocation of a certificate might occur before the certificate expires CRL checking is intended for checking whether a certificate has been revoked A revoked certificate is no longer trusted Examples Disable CRL checking Sysname system view Sysname pki domain 1 Sysname pki doma...

Page 247: ...rl string undo crl url Default No CRL distribution point URL is specified Views PKI domain view Default command level 2 System level Parameters url string Specifies the URL of the CRL distribution point a case insensitive string of 1 to 125 characters in the format of ldap server_location or http server_location where server_location must be an IP address or a domain name Usage guidelines When the...

Page 248: ...r expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters E...

Page 249: ...Issuer Issuer of the certificate Validity Validity period of the certificate Subject Entity holding the certificate Subject Public Key Info Public key information of the entity X509v3 extensions Extensions of the X 509 version 3 certificate X509v3 CRL Distribution Points Distribution points of X 509 version 3 CRLs Related commands certificate request polling pki domain pki retrieval certificate di...

Page 250: ... access control policy mypolicy access control policy name mypolicy rule 1 deny mygroup1 rule 2 permit mygroup2 Table 32 Command output Field Description access control policy Name of the certificate attribute based access control policy rule number Number of the access control rule display pki certificate attribute group Use display pki certificate attribute group to display information about one...

Page 251: ...r fqdn FQDN of the entity nctn Not contain operations app Value of attribute 2 display pki crl domain Use display pki crl domain to display the locally saved CRLs Syntax display pki crl domain domain name begin exclude include regular expression Views Any view Default command level 1 Monitor level Parameters domain name Specifies a PKI domain name a string of 1 to 15 characters Filters command out...

Page 252: ...ntry extensions Table 34 Command output Field Description Version Version of the CRL Signature Algorithm Signature algorithm used by the CRLs Issuer CA issuing the CRLs Last Update Last update time Next Update Next update time CRL extensions Extensions of CRL X509v3 Authority Key Identifier CA issuing the CRLs The certificate version is X 509 v3 keyid ID of the public key A CA might have multiple ...

Page 253: ...QDN of an entity as pki domain name com Sysname system view Sysname pki entity 1 Sysname pki entity 1 fqdn pki domain name com include serial number Use include serial number to configure a PKI entity to include the device serial number in the identity information Use serial number to restore the default Syntax include serial number undo include serial number Default The PKI entity does not contai...

Page 254: ... pki entity 1 ip 11 0 0 1 ldap server Use ldap server to specify an LDAP server for a PKI domain Use undo ldap server to remove the configuration Syntax ldap server ip ip address port port number version version number undo ldap server Default No LDP server is specified for a PKI domain Views PKI domain view Default command level 2 System level Parameters ip address Specifies the IP address of the...

Page 255: ...Default command level 2 System level Parameters locality name Specifies a geographical locality name for an entity a case insensitive string of 1 to 31 characters No comma can be included Examples Configure the locality of an entity as city Sysname system view Sysname pki entity 1 Sysname pki entity 1 locality city organization Use organization to configure the name of the organization to which th...

Page 256: ...em level Parameters org unit name Specifies an organization unit name for an entity a case insensitive string of 1 to 31 characters No comma can be included The organization unit name distinguishes different units in an organization Examples Configure the name of the organization unit to which an entity belongs as group1 Sysname system view Sysname pki entity 1 Sysname pki entity 1 organization un...

Page 257: ...rtificate attribute group to delete one or all certificate attribute groups Syntax pki certificate attribute group group name undo pki certificate attribute group group name all Default No certificate attribute group exists Views System view Default command level 2 System level Parameters group name Specifies a certificate attribute group by its name a case insensitive string of 1 to 16 characters...

Page 258: ...PKI domain view or enter the view of an existing PKI domain Use undo pki domain to remove a PKI domain Syntax pki domain domain name undo pki domain domain name Default No PKI domain exists Views System view Default command level 2 System level Parameters domain name Specifies a PKI domain name a case insensitive string of 1 to 15 characters Usage guidelines You can create up to 32 PKI domains on ...

Page 259: ... or local certificate from a file and save it locally Syntax pki import certificate ca local domain domain name der p12 pem filename filename Views System view Default command level 2 System level Parameters ca Specifies the CA certificate local Specifies the local certificate domain name Specifies a PKI domain by its name a string of 1 to 15 characters der Specifies the certificate format of DER ...

Page 260: ...level 2 System level Parameters domain name Specifies a PKI domain by its name a string of 1 to 15 characters password Specifies the password for certificate revocation a case sensitive string of 1 to 31 characters pkcs10 Displays the BASE64 encoded PKCS 10 certificate request information which can be used to request a certification by an out of band means like phone disk or email filename filenam...

Page 261: ...tains the CA certificate local Obtains the local certificate domain name Specifies a PKI domain by its name Examples Obtain the CA certificate from the CA server Sysname system view Sysname pki retrieval certificate ca domain 1 Related commands pki domain pki retrieval crl domain Use pki retrieval crl domain to obtain the latest CRLs from the server for CRL distribution Syntax pki retrieval crl do...

Page 262: ...ocus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked Examples Verify the validity of the local certificate Sysname system view Sysname pki validate certificate local domain 1 Related commands pki domain root certificate fingerprint Use root certificate fingerprint to configure the fingerprint to ...

Page 263: ... control rule Use undo rule to delete one or all access control rules Syntax rule id deny permit group name undo rule id all Default No access control rule exists Views PKI certificate access control policy view Default command level 2 System level Parameters id Specifies the ID of the certificate attribute access control rule The value range is 1 to 16 and the default is the smallest unused numbe...

Page 264: ...ate to specify the name of the state or province where an entity resides Use undo state to remove the configuration Syntax state state name undo state Default No state or province is specified Views PKI entity view Default command level 2 System level Parameters state name Specifies the state or province name a case insensitive string of 1 to 31 characters No comma can be included Examples Specify...

Page 265: ... AH uses no authentication algorithm Views IPsec transform set view Default command level 2 System level Parameters md5 Uses MD5 This keyword is not supported in FIPS mode sha1 Uses SHA 1 Usage guidelines You must use the transform command to specify the AH security protocol or both AH and ESP before you specify authentication algorithms for AH Examples Configure IPsec transform set prop1 to use A...

Page 266: ... isakmp policy1 1 connection name CenterToA cryptoengine enable Use cryptoengine enable to enable the encryption engine Use undo cryptoengine enable to disable the encryption engine Syntax cryptoengine enable slot slot number undo cryptoengine enable slot slot number Default The encryption engine is enabled Views System view Default command level 2 System level Parameters slot slot number Specifie...

Page 267: ...egular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If you do not specify any parameters the command displays detailed information about all IPsec policies If you specify the name policy name option but leave the seq number argument the command disp...

Page 268: ...olicy_isakmp Interface GigabitEthernet3 0 1 IPsec policy name policy_isakmp sequence number 10 acl version ACL4 mode isakmp encapsulation mode tunnel security data flow 3000 selector mode standard ike peer name per PFS N transform set name prop1 synchronization inbound anti replay interval 1000 packets synchronization outbound anti replay interval 10000 packets IPsec sa local duration time based 3...

Page 269: ...setting AH spi 54321 0xd431 AH string key AH authentication hex key outbound ESP setting ESP spi 65432 0xff98 ESP string key ESP encryption hex key ESP authentication hex key IPsec Policy Group manual Interface Protocol OSPFv3 RIPng BGP IPsec policy name policy001 sequence number 10 acl version None mode manual encapsulation mode tunnel security data flow tunnel local address tunnel remote address...

Page 270: ...lied Protocol Name of the protocol to which the IPsec policy is applied This field is not displayed when the IPsec policy is not applied to any routing protocol sequence number Sequence number of the IPsec policy mode Negotiation mode of the IPsec policy manual Manual mode isakmp IKE negotiation mode template IPsec policy template mode gdoi GDOI mode encapsulation mode IPsec packet encapsulation m...

Page 271: ...c policy template or IPsec policy template group template name Specifies the name of the IPsec policy template a string of 1 to 41 characters seq number Specifies the sequence number of the IPsec policy template in the range of 1 to 10000 Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the ...

Page 272: ...ulation mode tunnel security data flow ACL s Version acl4 ike peer name per PFS N transform set name testprop IPsec sa local duration time based 3600 seconds IPsec sa local duration traffic based 1843200 kilobytes Table 38 Command output Field Description encapsulation mode IPsec packet encapsulation mode tunnel Tunnel mode transport Transport mode security data flow ACL referenced by the IPsec po...

Page 273: ...ile and is a case insensitive string of 1 to 15 characters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays al...

Page 274: ...terface that references the IPsec profile encapsulation mode Encapsulation mode for the IPsec profile dvpn DVPN tunnel mode tunnel IPsec tunnel mode security data flow ACL referenced by the IPsec profile As an IPsec profile does not reference any ACL no information is displayed for this field ike peer name IKE peer referenced by the IPsec profile PFS Whether perfect forward secrecy is enabled DH g...

Page 275: ...ess ipv6 Specifies an IPv6 address ip address Specifies the remote IP address Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression ...

Page 276: ...cates the authentication algorithm A value of NULL means that type of algorithm is not specified Display detailed information about all IPsec SAs Sysname display ipsec sa Interface GigabitEthernet3 0 1 path MTU 1500 IPsec policy name r2 sequence number 1 acl version ACL4 mode isakmp PFS N DH group none tunnel local address 2 2 2 2 remote address 1 1 1 2 flow sour addr 192 168 2 0 255 255 255 0 por...

Page 277: ...ion used for nat traversal N Protocol OSPFv3 IPsec policy name manual sequence number 1 acl version None mode manual PFS N DH group none tunnel flow inbound AH SAs spi 0x12d683 1234563 transform AH MD5HMAC96 in use setting Transport connection id 3 No duration limit for this sa outbound AH SAs spi 0x12d683 1234563 transform AH MD5HMAC96 in use setting Transport connection id 4 No duration limit fo...

Page 278: ... ENCRYPT DES ESP AUTH MD5 in use setting Tunnel connection id 6 sa duration kilobytes sec 4294967295 604800 sa remaining duration kilobytes sec 1843200 2686 anti replay detection Disabled outbound ESP SAs spi 0x2FC8FD45 801701189 transfrom ESP ENCRYPT DES ESP AUTH MD5 in use setting Tunnel connection id 7 sa duration kilobytes sec 4294967295 604800 sa remaining duration kilobytes sec 1843200 2686 ...

Page 279: ...utbound direction sour addr Source IP address of the data flow dest addr Destination IP address of the data flow port Port number protocol Protocol type inbound Information of the inbound SA outbound Information of the outbound SA spi Security parameter index transform Security protocol and algorithms used by the IPsec transform set in use setting IPsec SA attribute setting transport or tunnel con...

Page 280: ...at do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If you do not specify any parameters the command displays the statistics for all IPsec packets Examples Display statistics for all IPsec packets Sysname display ipsec...

Page 281: ...evice dropped security packet detail Detailed information about inbound outbound packets that get dropped not enough memory Number of packets dropped due to lack of memory can t find SA Number of packets dropped due to finding no security association queue is full Number of packets dropped due to full queues authentication has failed Number of packets dropped due to authentication failure wrong le...

Page 282: ...ified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If you do not specify any parameters the command displays information about all IPsec transform sets Examples Display information about all IPsec transform sets Sysname display ipsec transform set IPsec transform set name tran1 encapsulation mode tunnel ESN dis...

Page 283: ...e that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display information about IPsec tunnels Sysname display ipsec tunnel to...

Page 284: ...e used for fast negotiation mode in IKE phase 2 SA s SPI SPIs of the inbound and outbound SAs tunnel Local and remote addresses of the tunnel flow Data flow protected by the IPsec tunnel including source IP address destination IP address source port destination port and protocol as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001 encapsulation mode Use encapsulation...

Page 285: ... esp authentication algorithm md5 sha1 undo esp authentication algorithm Default In FIPS mode ESP uses the SHA 1 authentication algorithm In non FIPS mode ESP uses no authentication algorithm Views IPsec transform set view Default command level 2 System level Parameters md5 Uses the MD5 algorithm which uses a 128 bit key This keyword is not supported in FIPS mode sha1 Uses the SHA 1 algorithm whic...

Page 286: ...Data Encryption Standard 3DES in CBC mode which uses a 168 bit key This keyword is not supported in FIPS mode aes cbc 128 Uses the Advanced Encryption Standard AES in CBC mode that uses a 128 bit key aes cbc 192 Uses AES in CBC mode that uses a 192 bit key aes cbc 256 Uses AES in CBC mode that uses a 256 bit key des Uses the DES in cipher block chaining CBC mode which uses a 56 bit key This keywor...

Page 287: ...eer name Views IPsec policy view IPsec policy template view IPsec profile view Default command level 2 System level Parameters peer name Specifies the IKE peer name a string of 1 to 32 characters Examples Configure a reference to an IKE peer in an IPsec policy Sysname system view Sysname ipsec policy policy1 10 isakmp Sysname ipsec policy isakmp policy1 10 ike peer peer1 Configure a reference to a...

Page 288: ...eplay window Default The size of the anti replay window is 32 Views System view Default command level 2 System level Parameters width Specifies the size of the anti replay window It can be 32 64 128 256 512 or 1024 Usage guidelines Your configuration affects only IPsec SAs negotiated later Examples Set the size of the anti replay window to 64 Sysname system view Sysname ipsec anti replay window 64...

Page 289: ...encryption is enabled the following occurs when an IPsec protected interface encapsulates a packet If the packet size is less than the interface MTU the interface directly encapsulates the packet If the packet size exceeds the interface MTU the interface first fragments and then encapsulates the packet If the packet size exceeds the interface MTU and the packet contains a DF bit the interface dire...

Page 290: ...pecified SPI When the peer receives the message it deletes the SAs on its side Then subsequent traffic triggers the two peers to establish new SAs Examples Enable invalid SPI recovery Sysname system view Sysname ipsec invalid spi recovery enable ipsec policy interface view Use ipsec policy to apply an IPsec policy group to an interface Use undo ipsec policy to remove the application Syntax ipsec p...

Page 291: ...c policies Syntax ipsec policy policy name seq number gdoi isakmp manual undo ipsec policy policy name seq number Default No IPsec policy exists Views System view Default command level 2 System level Parameters policy name Specifies the name for the IPsec policy a case insensitive string of 1 to 15 characters No minus sign can be included seq number Specifies the sequence number for the IPsec poli...

Page 292: ...nt to delete an IPsec policy Use undo ipsec policy without the seq number argument to delete an IPsec policy group Syntax ipsec policy policy name seq number isakmp template template name undo ipsec policy policy name seq number Views System view Default command level 2 System level Parameters policy name Specifies the name for the IPsec policy a case insensitive string of 1 to 15 characters No mi...

Page 293: ...ng of 1 to 41 characters No minus sign can be included seq number Specifies the sequence number for the IPsec policy template in the range of 1 to 65535 Usage guidelines Using the undo command without the seq number argument deletes an IPsec policy template group In an IPsec policy template group an IPsec policy template with a smaller sequence number has a higher priority Examples Create an IPsec...

Page 294: ...rofile1 Related commands ipsec profile tunnel interface view display ipsec profile ipsec profile tunnel interface view Use ipsec profile to apply an IPsec profile to a DVPN tunnel interface or an IPsec tunnel interface Use undo ipsec profile to remove the application Syntax ipsec profile profile name undo ipsec profile Default No IPsec profile is applied to a DVPN tunnel interface or an IPsec tunn...

Page 295: ...fault Syntax ipsec sa global duration time based seconds traffic based kilobytes undo ipsec sa global duration time based traffic based Default The time based global SA lifetime is 3600 seconds and the traffic based global SA lifetime is 1843200 kilobytes Views System view Default command level 2 System level Parameters seconds Specifies the time based global SA lifetime in seconds in the range of...

Page 296: ...set Syntax ipsec transform set transform set name undo ipsec transform set transform set name Default No IPsec transform set exists Views System view Default command level 2 System level Parameters transform set name Specifies the name of an IPsec transform set a case insensitive string of 1 to 32 characters Examples Create an IPsec transform set named tran1 and enter its view Sysname system view ...

Page 297: ...roup2 and 768 bit Diffie Hellman group dh group1 This command allows IPsec to perform an additional key exchange process during the negotiation phase 2 providing an additional level of security The local Diffie Hellman group must be the same as that of the peer This command can be used only when the SAs are to be set up through IKE negotiation Related commands ipsec policy template ipsec policy sy...

Page 298: ...le packet information pre extraction Use undo qos pre classify to restore the default Syntax qos pre classify undo qos pre classify Default Packet information pre extraction is disabled Views IPsec policy view IPsec policy template view Default command level 2 System level Usage guidelines With the packet information pre extraction feature enabled QoS classifies a packet based on the header of the...

Page 299: ...named policy name are specified remote Specifies SAs to or from a remote address in dotted decimal notation ip address Specifies the remote IP address Usage guidelines Immediately after a manually set up SA is cleared the system automatically sets up a new SA based on the parameters of the IPsec policy After IKE negotiated SAs are cleared the system sets up new SAs only when IKE negotiation is tri...

Page 300: ...ute Default IPsec RRI is disabled Views IPsec policy view IPsec policy template view Default command level 2 System level Parameters static Enables static IPsec Reverse Route Inject RRI Static IPsec RRI creates static routes based on the ACL that the IPsec policy references This keyword is available only in IPsec policy view If this keyword is not specified you enable dynamic IPsec RRI which creat...

Page 301: ...ec policy Peer tunnel address set with the tunnel remote command IPsec policy that uses IKE The remote tunnel endpoint which is the address configured in the remote address command in IKE view reverse route remote peer ip address static Static Destination IP address specified in a permit rule of the ACL that is referenced by the IPsec policy Address identified by the ip address argument reverse ro...

Page 302: ... table Destination Mask Proto Pre Cost NextHop Interface 3 0 0 0 24 Static 60 0 1 1 1 2 GE3 0 1 Configure static IPsec RRI to create static routes based on ACL 3000 Take the peer private network as the destination and 1 1 1 3 as the next hop Sysname ipsec policy 1 1 isakmp Sysname ipsec policy isakmp 1 1 reverse route remote peer 1 1 1 3 static Sysname ipsec policy isakmp 1 1 quit Display the rout...

Page 303: ... 1 1 reverse route remote peer 1 1 1 3 gateway Display the routing table The expected routes appear in the routing table after the IPsec SA negotiation succeeds Other routes are not shown Sysname display ip routing table Destination Mask Proto Pre Cost NextHop Interface 1 1 1 2 32 Static 60 0 1 1 1 3 GE3 0 1 3 0 0 0 24 Static 60 0 1 1 1 2 GE3 0 1 Related commands reverse route preference reverse r...

Page 304: ...x reverse route tag tag value undo reverse route tag Default The tag value is 0 for the static routes created by IPsec RRI Views IPsec policy view Default command level 2 System level Parameters tag value Sets a route tag for the static routes The value range is 1 to 4294967295 Usage guidelines This command makes sense only when used together with the reverse route command When you change the rout...

Page 305: ...poses all keys including keys configured in plain text are saved in cipher text to the configuration file Usage guidelines This command applies to only manual IPsec policies When configuring a manual IPsec policy you must set the parameters of both the inbound and outbound SAs The authentication key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end ...

Page 306: ...294967295 Usage guidelines When negotiating to set up an SA IKE prefers the lifetime settings of the IPsec policy or IPsec profile that it uses If the IPsec policy or IPsec transform set is not configured with its own lifetime settings IKE uses the global SA lifetime settings which are configured with the ipsec sa global duration command When negotiating to set up an SA IKE prefers the shorter one...

Page 307: ...encryption key hex key Specifies the key string If cipher is specified this argument is case sensitive and must be a ciphertext string of 1 to 117 characters If simple is specified this argument is case insensitive and must be an 8 byte hexadecimal string for DES CBC a 16 byte hexadecimal string for AES128 CBC or a 24 byte hexadecimal string for 3DES CBC and AES192 CBC If neither cipher nor simple...

Page 308: ...ameters inbound Specifies the inbound SA through which IPsec processes the received packets outbound Specifies the outbound SA through which IPsec processes the packets to be sent ah Uses AH esp Uses ESP spi number Specifies the security parameters index SPI in the SA triplet in the range of 256 to 4294967295 Usage guidelines This command applies to only manual IPsec policies When configuring a ma...

Page 309: ...cifies the outbound SA through which IPsec processes the packets to be sent ah Uses AH esp Uses ESP cipher Sets a ciphertext key simple Sets a plaintext key string key Specifies the key string This argument is case sensitive If cipher is specified it must be a ciphertext string of 1 to 373 characters If simple is specified it must be a string of 1 to 255 characters If neither cipher nor simple is ...

Page 310: ...cross the defined scope Examples Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab Sysname system view Sysname ipsec policy policy1 100 manual Sysname ipsec policy manual policy1 100 sa string key inbound ah simple abcdef Sysname ipsec policy manual policy1 100 sa string key outbound ah simple efcdab Configure the inbound and outbound SAs that use AH to...

Page 311: ...es the one last specified In IPsec GDOI policy view you cannot configure IPv6 ACLs or the aggregation keyword If you specify an ACL that contains permit statements the packets matching the permit statements are dropped Examples Configure IPsec policy policy1 to reference ACL 3001 Sysname system view Sysname acl number 3001 Sysname acl adv 3001 rule permit tcp source 10 1 1 0 0 0 0 255 destination ...

Page 312: ...sform set to specify an IPsec transform set for the IPsec policy or IPsec profile to reference Use undo transform set to remove an IPsec transform set referenced by the IPsec policy or IPsec profile Syntax transform set transform set name 1 6 undo transform set transform set name Default An IPsec policy or IPsec profile references no IPsec transform set Views IPsec policy view IPsec policy templat...

Page 313: ...ansform set tran1 Sysname ipsec transform set tran1 Sysname ipsec transform set tran1 quit Sysname ipsec policy policy1 100 manual Sysname ipsec policy manual policy1 100 transform set tran1 Configure IPsec profile profile1 to reference IPsec transform set tran2 Sysname system view Sysname ipsec transform set tran2 Sysname ipsec transform set prop2 quit Sysname ipsec profile profile1 Sysname ipsec...

Page 314: ... ipv6 ip address undo tunnel remote ip address Default No remote address is configured for the IPsec tunnel Views IPsec policy view Default command level 2 System level Parameters ipv6 Specifies an IPv6 address ip address Specifies the remote address for the IPsec tunnel Usage guidelines This command applies to only manual IPsec policies If you execute this command multiple times the most recent c...

Page 315: ... proposal uses the SHA 1 authentication algorithm Views IKE proposal view Default command level 2 System level Parameters md5 Uses HMAC MD5 This keyword is not supported in FIPS mode sha Uses HMAC SHA 1 Examples Set MD5 as the authentication algorithm for IKE proposal 10 Sysname system view Sysname ike proposal 10 Sysname ike proposal 10 authentication algorithm md5 Related commands ike proposal d...

Page 316: ...re the PKI domain of the certificate when IKE uses digital signature as the authentication mode Use undo certificate domain to remove the configuration Syntax certificate domain domain name undo certificate domain Views IKE peer view Default command level 2 System level Parameters domain name Specifies the name of the PKI domain a string of 1 to 15 characters Examples Configure the PKI domain as a...

Page 317: ...on in phase 1 Examples Specify 768 bit Diffie Hellman for IKE proposal 10 Sysname system view Sysname ike proposal 10 Sysname ike proposal 10 dh group1 Related commands ike proposal display ike proposal display ike dpd Use display ike dpd to display information about Dead Peer Detection DPD detectors Syntax display ike dpd dpd name begin exclude include regular expression Views Any view Default co...

Page 318: ... display ike peer to display information about IKE peers Syntax display ike peer peer name begin exclude include regular expression Views Any view Default command level 1 Monitor level Parameters peer name Specifies the name of the IKE peer a string of 1 to 32 characters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Config...

Page 319: ...teway local ip address IP address of the local security gateway peer name Name of the remote security gateway nat traversal Whether NAT traversal is enabled dpd Name of the peer DPD detector Related commands ike peer display ike proposal Use display ike proposal to view the settings of all IKE proposals Syntax display ike proposal begin exclude include regular expression Views Any view Default com...

Page 320: ...68 50000 default PRE_SHARED SHA DES_CBC MODP_768 86400 Table 48 Command output Field Description priority Priority of the IKE proposal authentication method Authentication method used by the IKE proposal authentication algorithm Authentication algorithm used by the IKE proposal encryption algorithm Encryption algorithm used by the IKE proposal Diffie Hellman group DH group used in IKE negotiation ...

Page 321: ...meters or keywords the command displays brief information about the current IKE SAs Examples Display brief information about the current IKE SAs Sysname display ike sa total phase 1 SAs 1 connection id peer flag phase doi 1 202 38 0 2 RD ST 1 IPSEC 2 202 38 0 2 RD ST 2 IPSEC flag meaning RD READY ST STAYALIVE RL REPLACED FD FADING TO TIMEOUT RK REKEY Table 49 Command output Field Description total...

Page 322: ...ity initiator local id type IPV4_ADDR local id 4 4 4 4 remote id type IPV4_ADDR remote id 4 4 4 5 local ip 4 4 4 4 remote ip 4 4 4 5 connection id 2 authentication method PRE SHARED KEY authentication algorithm HASH SHA1 encryption algorithm DES CBC life duration sec 86400 remaining key duration sec 86379 exchange mode MAIN diffie hellman group GROUP1 nat traversal NO Display detailed information ...

Page 323: ... id type IPV4_ADDR local id 4 4 4 4 remote id type IPV4_ADDR remote id 4 4 4 5 local ip 4 4 4 4 remote ip 4 4 4 5 connection id 2 authentication method PRE SHARED KEY authentication algorithm HASH SHA1 encryption algorithm DES CBC life duration sec 86400 remaining key duration sec 82236 exchange mode MAIN diffie hellman group GROUP1 nat traversal NO Table 50 Command output Field Description vpn in...

Page 324: ...key duration sec Remaining lifetime of the ISAKMP SA in seconds exchange mode IKE negotiation mode in phase 1 diffie hellman group DH group used for key negotiation in IKE phase 1 nat traversal Whether NAT traversal is enabled Related commands ike proposal ike peer dpd Use dpd to apply a DPD detector to an IKE peer Use undo dpd to remove the application Syntax dpd dpd name undo dpd Default No DPD ...

Page 325: ...FIPS mode aes cbc Uses the AES algorithm in CBC mode as the encryption algorithm The AES algorithm uses 128 bit 192 bit or 256 bit keys for encryption key length Specifies the key length for the AES algorithm which can be 128 192 or 256 bits and is defaulted to 128 bits des cbc Uses the DES algorithm in CBC mode as the encryption algorithm The DES algorithm uses 56 bit keys for encryption This key...

Page 326: ...tem view Sysname ike peer peer1 Sysname ike peer peer1 exchange mode main Related commands id type id type Use id type to select the type of the ID for IKE negotiation Use undo id type to restore the default Syntax id type ip name user fqdn undo id type Default The ID type is IP address Views IKE peer view Default command level 2 System level Parameters ip Uses an IP address as the ID during IKE n...

Page 327: ...name Specifies the name for the DPD detector a string of 1 to 32 characters Usage guidelines DPD irregularly detects dead IKE peers It works as follows 1 When the local end sends an IPsec packet it checks the time the last IPsec packet was received from the peer 2 If the time interval exceeds the DPD interval it sends a DPD hello to the peer 3 If the local end receives no DPD acknowledgement withi...

Page 328: ...fqdn command on the initiator the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation and you must configure the ike local name command in system view or the local name command in IKE peer view on the local device If you configure both the ike local name command and the local name command the name configured by the local name command is used The IKE negotiatio...

Page 329: ...evel 2 System level Examples Disable Next payload field checking for the last payload of an IKE message Sysname system view Sysname ike next payload check disabled ike peer system view Use ike peer to create an IKE peer and enter IKE peer view Use undo ike peer to delete an IKE peer Syntax ike peer peer name undo ike peer peer name Views System view Default command level 2 System level Parameters ...

Page 330: ...default IKE proposal in non FIPS mode and FIPS mode Setting Non FIPS mode FIPS mode Encryption algorithm DES CBC AES_CBC_128 Authentication algorithm HMAC SHA1 SHA Authentication method Pre shared key Pre shared key DH group MODP_768 MODP_1024 SA lifetime 86400 seconds 86400 seconds Examples Create IKE proposal 10 and enter IKE proposal view Sysname system view Sysname ike proposal 10 Sysname ike ...

Page 331: ...epalive timeout Use undo ike sa keepalive timer timeout to disable the function Syntax ike sa keepalive timer timeout seconds undo ike sa keepalive timer timeout Default No keepalive packet is sent Views System view Default command level 2 System level Parameters seconds Specifies the ISAKMP SA keepalive timeout in seconds in the range of 20 to 28800 Usage guidelines The keepalive timeout configur...

Page 332: ...ange of 5 to 300 Examples Set the NAT keepalive interval to 5 seconds Sysname system view Sysname ike sa nat keepalive timer interval 5 interval time Use interval time to set the DPD query triggering interval for a DPD detector Use undo interval time to restore the default Syntax interval time interval time undo interval time Default The default DPD interval is 10 seconds Views IKE DPD view Defaul...

Page 333: ...to single Usage guidelines Use this command to enable interoperability with a NetScreen device Examples Set the subnet type of the local security gateway to multiple Sysname system view Sysname ike peer xhy Sysname ike peer xhy local multi subnet local address Use local address to configure the IP address of the local security gateway in IKE negotiation Use undo local address to remove the configu...

Page 334: ...otiation a case sensitive string of 1 to 32 characters Usage guidelines If you configure the id type name or id type user fqdn command on the initiator the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation and you must configure the ike local name command in system view or the local name command in IKE peer view on the local device If you configure both the ...

Page 335: ...raversal function for IKE peer peer1 Sysname system view Sysname ike peer peer1 Sysname ike peer peer1 nat traversal peer Use peer to set the subnet type of the peer security gateway for IKE negotiation Use undo peer to restore the default Syntax peer multi subnet single subnet undo peer Default The subnet is a single one Views IKE peer view Default command level 2 System level Parameters multi su...

Page 336: ...string of 1 to 201 characters If simple is specified it must be a string of 1 to 128 characters If neither cipher nor simple is specified you set a plaintext key string In FIPS mode the key string must contain at least eight characters comprising digits upper case letters lower case letters and special characters For security purposes all keys including keys configured in plain text are saved in c...

Page 337: ... IKE proposals The responder uses the IKE proposals configured in system view for negotiation Examples Configure IKE peer peer1 to reference IKE proposal 10 Sysname system view Sysname ike peer peer1 Sysname ike peer peer1 proposal 10 Related commands ike proposal ike peer system view remote address Use remote address to configure the IP address of the IPsec remote security gateway Use undo remote...

Page 338: ...nitiator of IKE negotiation if the remote address is a host IP address or a host name The local end can only be the responder of IKE negotiation if the remote address is an address range that the local end can respond to If the IP address of the remote address changes frequently configure the host name of the remote gateway with the dynamic keyword so that the local end can use the up to date remo...

Page 339: ...name ike peer peer1 Sysname ike peer peer1 remote name apple reset ike sa Use reset ike sa to clear IKE SAs Syntax reset ike sa connection id Views User view Default command level 2 System level Parameters connection id Specifies the connection ID of the IKE SA to be cleared in the range of 1 to 2000000000 Usage guidelines If you do not specify a connection ID the command clears all ISAKMP SAs Whe...

Page 340: ...efault The ISAKMP SA lifetime is 86400 seconds Views IKE proposal view Default command level 2 System level Parameters Seconds Specifies the ISAKMP SA lifetime in seconds in the range of 60 to 604800 Usage guidelines Before an SA expires IKE negotiates a new SA The new SA takes effect immediately after being set up and the old one will be cleared automatically when it expires Examples Specify the ...

Page 341: ...m level Parameters time out Specifies the DPD packet retransmission interval in seconds in the range of 1 to 60 Usage guidelines The default DPD packet retransmission interval is 5 seconds Examples Set the DPD packet retransmission interval to 1 second for dpd2 Sysname system view Sysname ike dpd dpd2 Sysname ike dpd dpd2 time out 1 ...

Page 342: ...by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a...

Page 343: ...FTP client001 Table 52 Command output Field Description Conn Connected VTY channel Ver SSH server protocol version Encry Encryption algorithm State Status of the session Init Initialization Ver exchange Version negotiation Keys exchange Keys exchange Auth request Authentication request Serv request Session service request Established The session is established Disconnected The session is disconnec...

Page 344: ...ion a case sensitive string of 1 to 256 characters Usage guidelines This command displays only information about SSH users configured by using the ssh user command on the SSH server Examples Display information about all SSH users Sysname display ssh user information Total ssh users 2 Username Authentication type User public key name Service type yemx password null stelnet test publickey pubkey sf...

Page 345: ...ut timer for SFTP user connections Use undo sftp server idle timeout to restore the default Syntax sftp server idle timeout time out value undo sftp server idle timeout Default The idle timeout timer is 10 minutes Views System view Default command level 3 Manage level Parameters time out value Specifies a timeout timer in minutes in the range of 1 to 35791 Usage guidelines If an SFTP connection is...

Page 346: ... malicious hacking of usernames and passwords This configuration takes effect only for the users at next login Authentication fails if the number of authentication attempts including both publickey and password authentication exceeds the upper limit configured by this command If the authentication method is password publickey the server first uses publickey authentication and then uses password au...

Page 347: ...tions Examples Set the SSH user authentication timeout timer to 10 seconds Sysname system view Sysname ssh server authentication timeout 10 Related commands display ssh server ssh server compatible ssh1x enable Use ssh server compatible ssh1x enable to enable the SSH server to support SSH1 clients Use undo ssh server compatible ssh1x to disable the SSH server from supporting SSH1 clients Syntax ss...

Page 348: ...el Examples Enable the SSH server function Sysname system view Sysname ssh server enable Related commands display ssh server ssh server rekey interval Use ssh server rekey interval to set the interval for updating the RSA server key Use undo ssh server rekey interval to restore the default Syntax ssh server rekey interval hours undo ssh server rekey interval Default The update interval of the RSA ...

Page 349: ...s System view Default command level 3 Manage level Parameters username Specifies an SSH username a case sensitive string of 1 to 80 characters service type Specifies the service type of an SSH user all Specifies Stelnet SFTP and SCP scp Specifies the service type as SCP sftp Specifies the service type as SFTP stelnet Specifies the service type of Stelnet authentication type Specifies the authentic...

Page 350: ...nges the server needs to update the local configuration promptly work directory directory name Specifies the working directory for an SFTP user The directory name argument is a string of 1 to 135 characters Usage guidelines If the SSH server uses publickey authentication you must create an SSH user account on the device If the SSH server uses password authentication you do not need to create the u...

Page 351: ...Connection closed Sysname cd Use cd to change the working path on an SFTP server Syntax cd remote path Views SFTP client view Default command level 3 Manage level Parameters remote path Specifies a path on the server If you do not specify this argument the command displays the current working path Usage guidelines You can use the cd command to return to the upper level directory You can use the cd...

Page 352: ...and level 3 Manage level Parameters remote file 1 10 Specifies one or more files to delete on the server 1 10 means that you can provide up to 10 filenames which are separated by space Usage guidelines This command functions as the remove command Examples Delete file temp c from the server sftp client delete temp c The following files will be deleted temp c Are you sure to delete it Y N y This ope...

Page 353: ...the current working directory in the form of a list sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 rwxrwxrwx 1 noone nogroup 225 Sep 28 08 28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08 24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08 18 new2 rwxrwxrwx 1 noone nogroup 225 Sep...

Page 354: ...sion Views Any view Default command level 1 Monitor level Parameters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include D...

Page 355: ...on a case sensitive string of 1 to 256 characters Usage guidelines This command is also available on an SFTP client When an SSH client needs to authenticate the SSH server it uses the locally saved public key of the server for the authentication If the authentication fails you can use this command to examine the public key of the server saved on the client Examples Display the mappings between SSH...

Page 356: ...3 Manage level Parameters remote file Specifies the name of a file on the SFTP server local file Specifies the name for the local file If this argument is not specified the file will be saved locally with the same name as that on the SFTP server Examples Download file temp1 c and save it as temp c locally sftp client get temp1 c temp c Remote file temp1 c Local file temp c Downloading file success...

Page 357: ...ctory remote path Specifies the directory to be queried If this argument is not specified the command displays the file and folder information under the current working directory Usage guidelines f you do not specify the a keyword or the l keyword the command displays detailed information about files and folders under the specified directory in the form of a list This command functions as the dir ...

Page 358: ...l file remote file Views SFTP client view Default command level 3 Manage level Parameters local file Specifies the name of a local file remote file Specifies the name for the file on an SFTP server If this argument is not specified the file will be saved remotely with the same name as the local one Examples Upload local file temp c to the SFTP server and save it as temp1 c sftp client put temp c t...

Page 359: ...nds Examples Terminate the connection with the SFTP server sftp client quit Bye Connection closed Sysname remove Use remove to delete files from a remote server Syntax remove remote file 1 10 Views SFTP client view Default command level 3 Manage level Parameters remote file 1 10 Specifies one or more files to delete on an SFTP server 1 10 means that you can provide up to 10 filenames which are sep...

Page 360: ...file or directory Examples Change the name of a file on the SFTP server from temp1 c to temp2 c sftp client rename temp1 c temp2 c File successfully renamed rmdir Use rmdir to delete the specified directories from an SFTP server Syntax rmdir remote path 1 10 Views SFTP client view Default command level 3 Manage level Parameters remote path 1 10 Specifies one or more directories to delete on the re...

Page 361: ... a case insensitive string of 1 to 46 characters port number Specifies the port number of the server in the range of 0 to 65535 The default is 22 get Downloads the file put Uploads the file source file path Specifies the directory of the source file destination file path Specifies the directory of the target file If this argument is not specified the directory names of the source and target files ...

Page 362: ...tication method is publickey the client must get the local private key for digital signature In non FIPS mode because the publickey authentication uses either RSA or DSA algorithm you must specify an algorithm by using the identity key keyword in order to get the correct data for the local private key In non FIPS mode the default algorithms are as follows The algorithm for publickey authentication...

Page 363: ...r dsa or rsa In non FIPS mode the algorithm is either dsa or rsa In FIPS mode the algorithm is rsa dsa Specifies the public key algorithm dsa rsa Specifies the public key algorithm rsa prefer compress Specifies the preferred compression algorithm By default the compression algorithm is not used zlib Specifies the compression algorithm ZLIB zlib openssh Specifies the compression algorithm ZLIB open...

Page 364: ...r HMAC algorithm is sha1 96 The preferred key exchange algorithm is dh group exchange The preferred server to client encryption algorithm is aes128 The preferred server to client HMAC algorithm is sha1 96 In FIPS mode the default algorithms are as follows The algorithm for publickey authentication is rsa The preferred client to server encryption algorithm is aes128 The preferred client to server H...

Page 365: ...interface as the source interface Examples Specify the source IPv6 address of the SFTP client as 2 2 2 2 Sysname system view Sysname sftp client ipv6 source ipv6 2 2 2 2 Related commands display sftp client source sftp client source Use sftp client source to specify the source IPv4 address or interface of an SFTP client Use undo sftp client source to remove the configuration Syntax sftp client sou...

Page 366: ...entity key rsa prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 sha1 96 prefer kex dh group14 prefer stoc cipher aes128 aes256 prefer stoc hmac sha1 sha1 96 Views User view Default command level 3 Manage level Parameters server Specifies an IPv6 server by its address or host name a case insensitive string of 1 to 46 characters port number Specifies the port number of the server in the range ...

Page 367: ... preferred server to client encryption algorithm The default is aes128 prefer stoc hmac Specifies the preferred server to client HMAC algorithm The default is sha1 96 Usage guidelines When the server adopts publickey authentication to authenticate a client the client must get the local private key for digital signature In non FIPS mode because the publickey authentication uses either RSA or DSA al...

Page 368: ...rver as the public key name Views System view Default command level 2 System level Parameters server IP address or name of the server a string of 1 to 80 characters assign publickey keyname Specifies the name of the host public key of the server a string of 1 to 64 characters Usage guidelines If the client does not support first time authentication it will reject unauthenticated servers In this ca...

Page 369: ...uthenticate the server Because the server might update its key pairs periodically a client must obtain the most recent host public key of the server for successful authentication of the server Examples Enable the first time authentication function Sysname system view Sysname ssh client first time enable ssh client ipv6 source Use ssh client ipv6 source to specify the source IPv6 address or source ...

Page 370: ...ber ip ip address undo ssh client source Default An Stelnet client uses the IP address of the interface specified by the route of the device to access the Stelnet server Views System view Default command level 3 Manage level Parameters interface interface type interface number Specifies a source interface by its type and number ip ip address Specifies a source IPv4 address Usage guidelines To make...

Page 371: ...a or rsa In non FIPS mode the algorithm is either dsa or rsa In FIPS mode the algorithm is rsa dsa Specifies the public key algorithm dsa rsa Specifies the public key algorithm rsa prefer compress Specifies the preferred compression algorithm By default the compression algorithm is not used zlib Specifies the compression algorithm ZLIB zlib openssh Specifies the compression algorithm zlib openssh ...

Page 372: ...referred key exchange algorithm is dh group exchange The preferred server to client encryption algorithm is aes128 The preferred server to client HMAC algorithm is sha1 96 In FIPS mode the default algorithms are as follows The algorithm for publickey authentication is rsa The preferred client to server encryption algorithm is aes128 The preferred client to server HMAC algorithm is sha1 96 The pref...

Page 373: ... Specifies the compression algorithm ZLIB zlib openssh Specifies the compression algorithm ZLIB openssh com prefer ctos cipher Specifies the preferred client to server encryption algorithm The default is aes128 3des Specifies the encryption algorithm 3des cbc This keyword is not available in FIPS mode aes128 Specifies the encryption algorithm aes128 cbc aes256 Specifies the encryption algorithm ae...

Page 374: ...preferred key exchange algorithm is dh group exchange The preferred server to client encryption algorithm is aes128 The preferred server to client HMAC algorithm is sha1 96 In FIPS mode the default algorithms are as follows The algorithm for publickey authentication is rsa The preferred client to server encryption algorithm is aes128 The preferred client to server HMAC algorithm is sha1 96 The pre...

Page 375: ... line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display the packet filtering statistics of the IPv6 firewall Sysnam...

Page 376: ...tted to the total Totally 0 packets 0 bytes 0 denied Indicates all denied packets the number of packets and bytes and the percentage of all the denied to the total display firewall statistics Use display firewall statistics to view the packet filtering statistics of the IPv4 firewall Syntax display firewall statistics all interface interface type interface number begin exclude include regular expr...

Page 377: ...irewall all Specifies all interface cards slot slot number Specifies the interface card in the specified slot In standalone mode chassis chassis number slot slot number Specifies an interface card in an IRF member device The chassis number argument represents the IRF member ID of the device The slot number argument represents the slot number of the card In IRF mode Examples Specify the default fil...

Page 378: ...ault Use firewall ipv6 default to specify the default firewall filtering action of the IPv6 firewall Syntax firewall ipv6 default deny permit Default The default filtering action of IPv6 firewall is permitting packets to pass permit Views System view Default command level 2 System level Parameters deny Specifies the filtering action as denying packets to pass the firewall permit Specifies the filt...

Page 379: ...mmand level 2 System level Parameters acl number Specifies a basic ACL number in the range of 2000 to 2999 or an advanced ACL number in the range of 3000 to 3999 name acl name Specifies the name of a basic or advanced IPv4 ACL a case insensitive string of 1 to 63 characters that must start with an English letter a to z or A to Z To avoid confusion the word all cannot be used as the ACL name inboun...

Page 380: ...aracters that must start with an English letter a to z or A to Z To avoid confusion the word all cannot be used as the ACL name inbound Specifies to filter packets received by the interface outbound Specifies to filter packets forwarded by the interface Usage guidelines You can apply only one IPv6 ACL in one direction of an interface to filter packets Examples Apply IPv6 ACL 2500 to GigabitEtherne...

Page 381: ... command level 1 Monitor level Parameters all Clears the packet filtering statistics on all interfaces of the IPv4 firewall interface interface type interface number Clears the packet filtering statistics on the specified interface of the IPv4 firewall Examples Clear the packet filtering statistics of IPv4 firewall on GigabitEthernet 3 0 1 Sysname reset firewall statistics interface gigabitetherne...

Page 382: ...egin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display information about all ASPF policies ...

Page 383: ...ular expression Views Any view Default command level 1 Monitor level Parameters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expressio...

Page 384: ... match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display ASPF policy 1 Sysname display aspf policy 1 ASPF Policy Configuration Policy Number 1 icmp error drop tcp syn check Table 58 Command output Field Description ASPF Policy Confi...

Page 385: ...ion regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display all the information about port mapping Sysname display port mapping SERVICE PORT ACL TYPE ftp 21 system defined h323 1720 system defined http 80 system defined rtsp 554 system defined smtp 25 system defined ike 500 system defined https 443 system defined vam 18000 system defined ss...

Page 386: ...Apply ASPF policy 1 to the outbound direction of GigabitEthernet 3 0 1 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 firewall aspf 1 outbound icmp error drop Use icmp error drop to specify to drop ICMP error messages Use undo icmp error drop to restore the default Syntax icmp error drop undo icmp error drop Default ICMP error messages are not dropped View...

Page 387: ...d VAM port port number Specifies the port that the application layer protocol is mapped to The port number is in the range of 0 to 65535 acl acl number Specifies the IPv4 ACL for indicating the host range The ACL number is in the range of 2000 to 2999 Examples Map port 3456 to the FTP protocol Sysname system view Sysname port mapping ftp port 3456 Related commands display port mapping tcp syn chec...

Page 388: ...ples Configure ASPF policy 1 to drop any non SYN packet which is the first packet over a TCP connection Sysname system view Sysname aspf policy 1 Sysname aspf policy 1 tcp syn check Related commands aspf policy ...

Page 389: ...vel 2 System level Parameters all Enables ALG for all protocols dns Enables ALG for DNS ftp Enables ALG for FTP gtp Enables ALG for GTP h323 Enables ALG for H 323 ils Enables ALG for ILS msn Enables ALG for MSN nbt Enables ALG for NBT pptp Enables ALG for PPTP qq Enables ALG for QQ rtsp Enables ALG for RTSP sccp Enables ALG for SCCP sip Enables ALG for SIP sqlnet Enables ALG for SQLNET a language ...

Page 390: ...es the aging time for MSN sessions qq Specifies the aging time for QQ sessions sip Specifies the aging time for SIP sessions time value Specifies the aging time in seconds in the range of 5 to 100000 Usage guidelines If no application layer protocol type is specified the command restores the session aging timers for the application layer protocols to the defaults The default session aging times fo...

Page 391: ...ression a case sensitive string of 1 to 256 characters Usage guidelines You can use this command to display the default session aging timers for the application layer protocols before these session aging timers are adjusted Examples Display the current session aging timers for the application layer protocols Sysname display application aging time Protocol Aging time s ftp 3600 dns 60 sip 300 msn 3...

Page 392: ...ging timers in different protocol states before these session aging timers are adjusted Examples Display the current session aging timers in different protocol states Sysname display session aging time Protocol Aging time s syn 10 tcp est 3600 fin 10 udp open 10 udp ready 30 icmp open 30 icmp closed 10 rawip open 30 rawip ready 60 accelerate 5 Table 61 Command output Field Description Protocol Pro...

Page 393: ...on Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines This command is supported by only the FIP600 card Examples Display session count on the card in slot 3 Sysname display session hardware slot 3 Current hardware session s 100 display session relation table Use display session relation table to display relationship table entries Syntax In standalone mod...

Page 394: ...2000s AllowConn 10 Total find 2 Table 62 Command output Field Description Local IP Port IP address port number of the inside network Global IP Port IP address port number of the outside network MatchMode Match mode from session table to relationship table Local The source IP address source port of a new session are matched against Local IP Port in the relation table Global The destination IP addre...

Page 395: ...e specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If no slot number is specified the command displays statistics for the sessions on all cards If no keyword is specified the command displays statistics for all sessions This command is...

Page 396: ...n establishment rate Establishment rate of ICMP sessions RAWIP Session establishment rate Establishment rate of Raw IP sessions Received TCP Counts of received TCP packets and bytes Received UDP Counts of received UDP packets and bytes Received ICMP Counts of received ICMP packets and bytes Received RAWIP Counts of received Raw IP packets and bytes Dropped TCP Counts of dropped TCP packets and byt...

Page 397: ...s the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If no argument is specified the command displays...

Page 398: ...18 1212 VPN Instance VLAN ID VLL ID Pro TCP 6 App TELNET State TCP EST Start time 2009 03 17 09 30 33 TTL 3600s Root Zone in Management Zone out Local Received packet s Init 1173 packet s 47458 byte s Received packet s Reply 1168 packet s 61845 byte s Total find 2 Table 64 Command output Field Description Initiator Session information of the initiator Responder Session information of the responder...

Page 399: ...tination ip destination ip protocol type icmp raw ip tcp udp source port source port destination port destination port vpn instance vpn instance name In IRF mode reset session chassis chassis number slot slot number source ip source ip destination ip destination ip protocol type icmp raw ip tcp udp source port source port destination port destination port vpn instance vpn instance name Views User ...

Page 400: ...n the public network If no parameter is specified the command clears all sessions Examples Clear all sessions Sysname reset session Clear all sessions with the source IP address as 10 10 10 10 of the initiator Sysname reset session source ip 10 10 10 10 reset session statistics Use reset session statistics to clear session statistics Syntax In standalone mode reset session statistics slot slot num...

Page 401: ...osed Specifies the aging timer for the ICMP sessions in the CLOSED state icmp open Specifies the aging timer for the ICMP sessions in the OPEN state rawip open Specifies the aging timer for the sessions in the RAWIP_OPEN state rawip ready Specifies the aging timer for the sessions in the RAWIP_READY state syn Specifies the aging timer for the TCP sessions in the SYN_SENT or SYN_RCV state tcp est S...

Page 402: ...ion checksum all icmp tcp udp Default Checksum verification is disabled Views System view Default command level 2 System level Parameters all Enables checksum verification for TCP UDP and ICMP packets icmp Enables checksum verification for ICMP packets tcp Enables checksum verification for TCP packets udp Enables checksum verification for UDP packets Examples Enable checksum verification for UDP p...

Page 403: ...ns are aged out earlier When the session ratio equals or drops below the lower threshold the session aging time is restored to the normal values configured by the application aging time or session aging time command If the difference between the session aging time and the value specified by the shorten time argument is less than 5 seconds the session aging time becomes 5 seconds Examples Configure...

Page 404: ... to 3999 Inbound Specifies session logs in the inbound direction outbound Specifies session logs in the outbound direction Usage guidelines If you do not specify the acl acl number option the command enables session logging for all sessions on the interface You can enable session logging on an interface in a single direction or both directions In each direction you can configure only one ACL If yo...

Page 405: ...s Set the packet count threshold for session logging to 10 mega packets Sysname system view Sysname session log packets active 10 session log time active Use session log time active to set the holdtime threshold for session logging Use undo session log time active to remove the setting Syntax session log time active time value undo session log time active Default The system does not output session...

Page 406: ... argument represents the number of the slot where the card resides In standalone mode chassis chassis number slot slot number Specifies a card on a member device The chassis number argument specifies the ID of the IRF member device The slot number argument specifies the number of the slot that holds the card In IRF mode Usage guidelines For distributed devices you can set the maximum number of ses...

Page 407: ...ds Specifies the aging time for persistent sessions in seconds If this keyword is specified the value range for the time value argument is 5 to 100000 seconds Usage guidelines Persistent sessions will not be removed because they are not matched with any packets within the aging time You can manually remove such sessions when necessary A persistent session rule can reference only one ACL Examples C...

Page 408: ...ied you cannot add remove or modify the connection limit rules in the connection limit policy view Examples Apply connection limit policy 0 Sysname system view Sysname connection limit apply policy 0 Related commands connection limit policy connection limit policy Use connection limit policy to create a connection limit policy and enter connection limit policy view Use undo connection limit policy...

Page 409: ...mber The value is 0 all Displays all connection limit policies Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Display...

Page 410: ...ent is in the range of 1 to 32 any Specifies all IP addresses on the specified network For example source ip any specifies all hosts on the source network source vpn src vpn name Specifies a source MPLS L3VPN to which the connections belong where src vpn name is a case sensitive string of 1 to 31 characters If the connections are in the public network do not specify this keyword and argument combi...

Page 411: ...mit rule 2 to limit the maximum number of UDP connections destined to 2 2 2 2 Sysname connection limit policy 0 limit 2 destination ip 2 2 2 2 32 protocol udp max connections 200 Configure connection limit rule 3 to limit the maximum number of IP connections sourced from each host on the segment 1 1 1 0 24 Sysname connection limit policy 0 limit 3 source ip 1 1 1 0 24 protocol ip max connections 2...

Page 412: ...ls Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If you do no...

Page 413: ...pecifies a blocking suffix keyword It is a case insensitive string of 1 to 9 characters Its starting character must be a dot and the subsequent characters must be digits or English letters verbose Specifies detailed information Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line ...

Page 414: ... packet s being passed display firewall http url filter host Use display firewall http url filter host to display information about URL address filtering Syntax display firewall http url filter host all item keywords verbose begin exclude include regular expression Views Any view Default command level 1 Monitor level Parameters all Specifies all URL filtering keywords item keywords Specifies a fil...

Page 415: ... including webfilter had been matched for 10 times Display URL address filtering information for all filtering entries Sysname display firewall http url filter host all SN Match Times Keywords 1 10 webfilter Table 68 Command output Field Description SN Serial number Match Times Number of times that the keyword has been matched Keywords URL address filtering keyword Display detailed information abo...

Page 416: ...sion and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Usage guidelines If you do not specify any parameters the command displays brief information about URL parameter filtering ...

Page 417: ...ctivex blocking acl acl number undo firewall http activex blocking acl Default No ACL is specified for ActiveX blocking Views System view Default command level 2 System level Parameters acl number ACL number in the range of 2000 to 3999 Usage guidelines After the command takes effect all web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to ...

Page 418: ...irewall http activex blocking firewall http activex blocking suffix Use firewall http activex blocking suffix to add an ActiveX blocking suffix keyword to the ActiveX blocking suffix list Use undo firewall http activex blocking suffix to remove an ActiveX blocking suffix keyword from the ActiveX blocking suffix list Syntax firewall http activex blocking suffix keywords undo firewall http activex b...

Page 419: ...effect all web requests containing any suffix keywords in the Java blocking suffix list will be processed according to the specified ACL You can specify multiple ACLs for Java blocking but only the last one takes effect You can specify a non existing ACL but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly Examples Specify the ACL for Java blocking ...

Page 420: ...ocking suffix keyword from the Java blocking suffix list Syntax firewall http java blocking suffix keywords undo firewall http java blocking suffix keywords Views System view Default command level 2 System level Parameters keywords Blocking suffix keyword a case insensitive string of 1 to 9 characters Its starting character must be a dot and the subsequent characters must be digits or English lett...

Page 421: ... the last one takes effect You can specify a non existing ACL but filtering based on the ACL takes effect only after you create and configure the ACL correctly Examples Specify URL address filtering to permit web requests with website IP addresses permitted by ACL 2000 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 0 permit source 3 3 3 3 0 0 0 0 Sysname acl basic 2000 qui...

Page 422: ... URL address filtering function Syntax firewall http url filter host enable undo firewall http url filter host enable Default The URL address filtering function is disabled Views System view Default command level 2 System level Examples Enable the URL address filtering function Sysname system view Sysname firewall http url filter host enable Related commands display firewall http url filter host f...

Page 423: ...commands display firewall http url filter host firewall http url filter host enable firewall http url filter host url address Use firewall http url filter host url address to add a URL address filtering entry and set the filtering action Use undo firewall http url filter host url address to remove one or all URL address filtering entries Syntax firewall http url filter host url address deny permit...

Page 424: ...does not match website addresses like www webfilter china com A filtering entry with neither caret at the beginning nor dollar sign at the end indicates a fuzzy match and matches website addresses containing the keyword If asterisk is present at the beginning of a filtering entry it must be present in the format like xxx where xxx represents a keyword for example com or webfilter com A filtering e...

Page 425: ...iltering entry Stands for one valid character It can be present multiple times at any position of a filtering entry consecutively or inconsecutively and cannot be used next to an asterisk If it is present at the beginning or end of a filtering entry it must be next to a caret or a dollar sign Stands for up to 4 valid characters including spaces It can be present once in the middle of a filtering e...

Page 426: ...rameter enable Default The URL parameter filtering function is disabled Views System view Default command level 2 System level Examples Enable the URL parameter filtering function Sysname system view Sysname firewall http url filter parameter enable Related commands display firewall http url filter parameter reset firewall http Use reset firewall http to clear web filtering statistics Syntax reset...

Page 427: ... url filter parameter Specifies URL parameter filtering statistics counter Specifies to clear statistics Examples Clear URL address filtering statistics Sysname reset firewall http url filter host counter ...

Page 428: ...n interface must already be created by using the attack defense policy command One interface can be configured with only one attack protection policy If you apply multiple policies to an interface only the last one takes effect However one policy can be applied to multiple interfaces Examples Apply attack protection policy 1 to interface GigabitEthernet 3 0 1 Sysname system view Sysname interface ...

Page 429: ... Views System view Default command level 2 System level Parameters policy number Sequence number of an attack protection policy in the range of 1 to 128 You can configure a maximum of 128 attack protection policies interface interface type interface number Specifies the interface that uses the policy exclusively If you specify an interface the policy is applied to the interface only Otherwise the ...

Page 430: ...ble to restore the default Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled Views System view Default command level 2 System level Usage guidelines After the blacklist function is enabled you can add blacklist entries manually or configure the device to add blacklist entries automatically The auto blacklist function must cooperate with the scanning attack pr...

Page 431: ...ry never gets aged and always exists unless you delete it manually Usage guidelines You can use the undo blacklist ip source ip address timeout command to cancel the aging time specified for a manually added blacklist entry After the configuration this blacklist entry never gets aged All blacklist entries can take effect only when the blacklist function is enabled You can modify the aging time of ...

Page 432: ...ck defense policy defense icmp flood enable Use defense icmp flood enable to enable ICMP flood attack protection Use undo defense icmp flood enable to restore the default Syntax defense icmp flood enable undo defense icmp flood enable Default ICMP flood attack protection is disabled Views Attack protection policy view Default command level 2 System level Examples Enable ICMP flood attack protectio...

Page 433: ...ecified action threshold the device considers the IP address to be under attack enters attack protection state and takes protection actions as configured low rate number Sets the silence threshold for ICMP flood attack protection of the specified IP address The rate number argument indicates the number of ICMP packets sent to the specified IP address per second and is in the range of 1 to 64000 Th...

Page 434: ... considers the IP address to be under attack enters attack protection state and takes protection actions as configured low rate number Sets the global silence threshold for ICMP flood attack protection The rate number argument indicates the number of ICMP packets sent to an IP address per second and is in the range of 1 to 64000 When the device is in attack protection state if it detects that the ...

Page 435: ...list timeout command The blacklist entries added by the scanning attack protection function take effect only after you enable the blacklist function for the device by using the blacklist enable command If you delete an entry blacklisted by scanning attack protection short after the entry is added within 1 second the system does not add the entry again This is because the system considers the subse...

Page 436: ...ies in the range of 1 to 1000 in minutes Examples Set the aging time for entries blacklisted by the scanning attack protection function to 20 minutes Sysname system view Sysname attack defense policy 1 Sysname attack defense policy 1 defense scan blacklist timeout 20 Related commands blacklist enable defense scan add to blacklist defense scan enable defense scan max rate defense scan enable Use de...

Page 437: ...estore the default which is 4000 connections per second Syntax defense scan max rate rate number undo defense scan max rate Views Attack protection policy view Default command level 2 System level Parameters rate number Threshold of the connection establishment rate number of connections established in a second that triggers scanning attack protection in the range of 1 to 10000 Usage guidelines Wi...

Page 438: ...and level 2 System level Parameters drop packet Drops all subsequence connection requests to the attacked IP address trigger tcp proxy Adds a protected IP address entry for the attacked IP address and triggers the TCP proxy function Examples Configure the SYN flood protection policy to drop SYN flood attack packets Sysname system view Sysname attack defense policy 1 Sysname attack defense policy 1...

Page 439: ...protected This IP address cannot be a broadcast address 127 0 0 0 8 a class D address or a class E address high rate number Sets the action threshold for SYN flood attack protection of the specified IP address The rate number argument indicates the number of SYN packets sent to the specified IP address per second and is in the range of 1 to 64000 With SYN flood attack protection enabled the device...

Page 440: ...hreshold high rate number low rate number undo defense syn flood rate threshold Default The global action threshold is 1000 packets per second and the global silence threshold is 750 packets per second Views Attack protection policy view Default command level 2 System level Parameters high rate number Sets the global action threshold for SYN flood attack protection The rate number argument indicat...

Page 441: ... flood rate threshold high 3000 low 1000 Related commands defense syn flood enable display attack defense policy defense udp flood action drop packet Use defense udp flood action drop packet to configure the device to drop UDP flood attack packets Use undo defense udp flood action to restore the default Syntax defense udp flood action drop packet undo defense udp flood action Default The device do...

Page 442: ...pecific IP address Use undo defense udp flood ip to remove the configuration Syntax defense udp flood ip ip address rate threshold high rate number low rate number undo defense udp flood ip ip address rate threshold Default No UDP flood attack protection thresholds are configured for an IP address Views Attack protection policy view Default command level 2 System level Parameters ip address IP add...

Page 443: ...nd Sysname system view Sysname attack defense policy 1 Sysname attack defense policy 1 defense udp flood ip 192 168 1 2 rate threshold high 2000 low 1000 Related commands defense udp flood action drop packet defense udp flood enable display attack defense policy defense udp flood rate threshold Use defense udp flood rate threshold to configure the global action and silence thresholds for UDP flood...

Page 444: ...ection set the global action threshold to 3000 packets per second and the global silence threshold to 1000 packets per second Sysname system view Sysname attack defense policy 1 Sysname attack defense policy 1 defense udp flood rate threshold high 3000 low 1000 Related commands defense udp flood action drop packet defense udp flood enable display attack defense policy display attack defense policy...

Page 445: ... attack defense Enabled Add to blacklist Enabled Blacklist timeout 10 minutes Max rate 1000 connections s Signature detect action Drop packet ICMP flood attack defense Enabled ICMP flood action Syslog ICMP flood high rate 2000 packets s ICMP flood low rate 750 packets s ICMP flood attack defense for specific IP addresses IP High rate packets s Low rate packets s 192 168 1 1 1000 500 192 168 2 1 20...

Page 446: ...ction is enabled Route record attack defense Indicates whether Route Record attack protection is enabled Scan attack defense Indicates whether scanning attack protection is enabled Add to blacklist Indicates whether the blacklist function is enabled for scanning attack protection Blacklist timeout Aging time of the blacklist entries Max rate Threshold for the connection establishment rate Signatur...

Page 447: ... None 128 GigabitEthernet3 0 2 Related commands attack defense policy display attack defense statistics interface Use display attack defense statistics interface to display the attack protection statistics of an interface Syntax display attack defense statistics interface interface type interface number begin exclude include regular expression Views Any view Default command level 1 Monitor level P...

Page 448: ...s dropped 100 Tracert attacks 1 Tracert packets dropped 100 WinNuke attacks 1 WinNuke packets dropped 100 Scan attacks 1 Scan attack packets dropped 100 SYN flood attacks 1 SYN flood packets dropped 100 ICMP flood attacks 1 ICMP flood packets dropped 100 UDP flood attacks 1 UDP flood packets dropped 100 Table 74 Command output Field Description Attack policy number Sequence number of the attack pr...

Page 449: ...Number of detected WinNuke attacks WinNuke packets dropped Number of WinNuke packets dropped Scan attacks Number of detected scanning attacks Scan attack packets dropped Number of scanning attack packets dropped SYN flood attacks Number of detected SYN flood attacks SYN flood attack packets dropped Number of SYN flood attack packets dropped ICMP flood attacks Number of detected ICMP flood attacks ...

Page 450: ... output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Spe...

Page 451: ... slot number destination ip dest ip address source ip src ip address vpn instance vpn instance name begin exclude include regular expression Views Any view Default command level 1 Monitor level Parameters destination ip dest ip address Displays statistics of the traffic destined for the specified destination IP address dest ip address indicates the destination IP address which cannot be a broadcas...

Page 452: ...istics Information IP Address 192 168 1 2 Total number of existing sessions 70 Session establishment rate 10 s TCP sessions 10 Half open TCP sessions 10 Half close TCP sessions 10 TCP session establishment rate 10 s UDP sessions 10 UDP session establishment rate 10 s ICMP sessions 10 ICMP session establishment rate 10 s RAWIP sessions 10 RAWIP session establishment rate 10 s Table 76 Command outpu...

Page 453: ...ation Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display the inbound traffic sta...

Page 454: ...ion Syntax In standalone mode display tcp proxy protected ip slot slot number begin exclude include regular expression In IRF mode display tcp proxy protected ip chassis chassis number slot slot number begin exclude include regular expression Views Any view Default command level 1 Monitor level Parameters slot slot number Displays information about protected IP addresses on a card slot number spec...

Page 455: ...ics enable to enable traffic statistics collection on an interface Use undo flow statistics enable to restore the default Syntax flow statistics enable destination ip inbound outbound source ip undo flow statistics enable destination ip inbound outbound source ip Default The traffic statistics collection function is disabled on an interface Views Interface view Default command level 2 System level...

Page 456: ...vel 1 Monitor level Parameters interface type interface number Specifies an interface by its type and number Examples Clear the attack protection statistics of interface GigabitEthernet 3 0 1 Sysname reset attack defense statistics interface gigabitethernet 3 0 1 Related commands display attack defense statistics interface signature detect Use signature detect to enable signature detection of a si...

Page 457: ...me system view Sysname attack defense policy 1 Sysname attack defense policy 1 signature detect fraggle enable Related commands display attack defense policy signature detect action drop packet Use signature detect action drop packet to configure the device to drop single packet attack packets Use undo signature detect action to restore the default Syntax signature detect action drop packet undo s...

Page 458: ...ge ICMP attack packets This command is effective only when signature detection of large ICMP attack is enabled Examples Enable signature detection of large ICMP attack set the ICMP packet length threshold that triggers large ICMP attack protection to 5000 bytes and configure the device to drop ICMP packets longer than the specified maximum length Sysname system view Sysname attack defense policy 1...

Page 459: ...er When detecting SYN flood attacks the TCP proxy function can take effect only if it is enabled Examples Enable TCP proxy on interface GigabitEthernet 3 0 1 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 tcp proxy enable Related commands defense syn flood action tcp proxy mode display tcp proxy protected ip tcp proxy mode Use tcp proxy mode to set the TCP...

Page 460: ...447 Related commands tcp proxy enable display tcp proxy protected ip ...

Page 461: ...ar expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples In standalone mode display status of all TCP connections Sysname display tcp status TCP MD5 Connection TCPCB Local Add port Foreign Add port State 03e37dc4 0 0 0 0 4001 0 0 0 0 0 Listening 04217174 100 0 0 204 23 100 0 0 253 65508 Established In IRF mode display status of all TCP...

Page 462: ... to disable the protection against Naptha attack Syntax tcp anti naptha enable undo tcp anti naptha enable Default The protection against Naptha attack is disabled Views System view Default command level 2 System level Usage guidelines The configurations made by using the tcp state and tcp timer check state commands are removed after the protection against Naptha attack is disabled Examples Enable...

Page 463: ...n a certain state in the range of 0 to 500 Usage guidelines You must enable the protection against Naptha attack before executing this command Otherwise an error is prompted You can configure the maximum number of TCP connections in each state If the maximum number of TCP connections in a state is 0 the aging of TCP connections in this state is not accelerated Examples Set the maximum number of TC...

Page 464: ...evel 2 System level Parameters time value Specifies the TCP connection state check interval in seconds in the range of 1 to 60 Usage guidelines The device periodically checks the number of TCP connections in each state If it detects that the number of TCP connections in a state exceeds the maximum number it accelerates the aging of TCP connections in such a state You must enable the protection aga...

Page 465: ...dress mac address mac address Displays IPv4 source guard entries of an MAC address in the format H H H slot slot number Displays IPv4 source guard entries for a card The slot number argument specifies the number of the slot that holds the card In standalone mode chassis chassis number slot slot number Displays IPv4 source guard entries for a card on an IRF member device The chassis number argument...

Page 466: ...ic Table 80 Command output Field Description Total entries found Total number of IPv4 source guard entries MAC Address MAC address of the IPv4 source guard entry N A means that no MAC address is bound in the entry IP Address IP address of the IPv4 source guard entry N A means that no IP address is bound in the entry VLAN VLAN bound to the IPv4 source guard entry N A means that no VLAN information ...

Page 467: ...entry repeatedly on one port but you can configure the same static entry on different ports You cannot configure a static binding entry on a link aggregation member port Examples Configure a static IPv4 source guard entry IP MAC binding on port GigabitEthernet 3 0 1 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 ip source binding ip address 192 168 0 1 mac...

Page 468: ...e system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 ip verify source ip address mac address Configure IPv4 source guard on VLAN interface 100 to filter packets based on the source IPv4 address and MAC address Sysname system view Sysname interface vlan interface 100 Sysname Vlan interface100 ip verify source ip address mac address Related commands display ip source bi...

Page 469: ...d the existing entries will not be affected New IPv4 binding entries however cannot be added any more unless the number of IPv4 binding entries on the port drops below the configured maximum Examples Set the maximum number of IPv4 source guard entries to 100 on port GigabitEthernet 3 0 1 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 ip verify source max e...

Page 470: ... view Default command level 2 System level Examples Enable ARP blackhole routing Sysname system view Sysname arp resolving route enable arp source suppression enable Use arp source suppression enable to enable the ARP source suppression function Use undo arp source suppression enable to disable the function Syntax arp source suppression enable undo arp source suppression enable Default The ARP sou...

Page 471: ...The value range is 2 to 1024 Usage guidelines If the number of unresolvable packets from a host within 5 seconds exceeds the specified threshold the device stops resolving packets from the host until the 5 seconds elapse Examples Set the maximum number of unresolvable packets that the device can receive in 5 seconds to 100 Sysname system view Sysname arp source suppression limit 100 Related comman...

Page 472: ... unresolvable destination IP addresses that the device can receive in five seconds Current cache length Size of cache used to record source suppression information ARP packet rate limit configuration commands arp rate limit Use arp rate limit to configure or disable ARP packet rate limit Use undo arp rate limit to restore the default Syntax In standalone mode arp rate limit disable rate pps drop s...

Page 473: ...way Use undo arp anti attack valid check enable to restore the default Syntax arp anti attack valid check enable undo arp anti attack valid check enable Default ARP packet source MAC address consistency check is disabled Views System view Default command level 2 System level Usage guidelines After you execute the arp anti attack valid check enable command the gateway device can filter out ARP pack...

Page 474: ...enable Authorized ARP configuration commands NOTE This feature is supported only on Layer 3 Ethernet interfaces arp authorized enable Use arp authorized enable to enable authorized ARP on an interface Use undo arp authorized enable to restore the default Syntax arp authorized enable undo arp authorized enable Default Authorized ARP is not enabled on the interface Views Layer 3 Ethernet interface v...

Page 475: ...nder IP address ip address Matches a sender IP address ip address mask Specifies the mask for the sender IP address in dotted decimal format If no mask is specified the ip address argument specifies a host IP address mac any mac address mac address mask Specifies the sender MAC address range any Matches any sender MAC address mac address Matches a sender MAC address in the format of H H H mac addr...

Page 476: ... restore the default Syntax arp detection enable undo arp detection enable Default ARP detection is disabled Views VLAN view Default command level 2 System level Examples Enable ARP detection for VLAN 2 Sysname system view Sysname vlan 2 Sysname Vlan2 arp detection enable arp detection trust Use arp detection trust to configure the port as an ARP trusted port Use undo arp detection trust to restor...

Page 477: ... Ethernet header the packet is considered invalid and discarded ip Checks the source and destination IP addresses of ARP packets The all zero all one or multicast IP addresses are considered invalid and the corresponding packets are discarded With this keyword specified the source and destination IP addresses of ARP replies and the source IP address of ARP requests are checked src mac Checks wheth...

Page 478: ... Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display the VLANs enab...

Page 479: ...P detection statistics of all interfaces Sysname display arp detection statistics State U Untrusted T Trusted ARP packets dropped by ARP inspect checking Interface State IP Src MAC Dst MAC Inspect GE3 0 1 U 40 0 0 78 GE3 0 2 U 0 0 0 0 GE3 0 3 T 0 0 0 0 GE3 0 4 U 0 0 30 0 Table 82 Command output Field Description Interface State State T or U identifies a trusted or untrusted port IP Number of ARP p...

Page 480: ...ve the same attributes as the manually configured static ARP entries The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports As a result the device might fail to change all dynamic ARP entries into static ARP entries Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is...

Page 481: ... range is specified the device only scans the network where the primary IP address of the interface resides for neighbors The sender IP address in the ARP requests is the primary IP address of the interface The start IP address and end IP address must be on the same network as the primary IP address or manually configured secondary IP addresses of the interface IP addresses already exist in ARP en...

Page 482: ... both arp filter source and arp filter binding commands on a port Examples Enable ARP gateway protection for the gateway with IP address 1 1 1 1 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 arp filter source 1 1 1 1 ARP filtering configuration commands NOTE The commands of this feature are supported only when SAP modules operate in bridge mode arp filter...

Page 483: ...sender MAC address Usage guidelines You can configure up to eight ARP filtering entries on a port You cannot configure both arp filter source and arp filter binding commands on a port Examples Configure an ARP filtering entry with permitted sender IP address 1 1 1 1 and MAC address 2 2 2 Sysname system view Sysname interface gigabitethernet 3 0 1 Sysname GigabitEthernet3 0 1 arp filter binding 1 1...

Page 484: ...vel Usage guidelines In a typical forged ND packet the Ethernet frame header conveys a source MAC address different than the source link layer address option To filter out these invalid ND packets use the source MAC consistency check function to check ND packets for MAC address inconsistency If VRRP is used disable source MAC consistency check for ND packets to prevent incorrect dropping of packet...

Page 485: ... output interface of a FIB entry allow default route Allows using the default route for URPF check acl acl number ACL number in the range of 2000 to 3999 For a basic ACL the value range is 2000 to 2999 For an advanced ACL the value range is 3000 to 3999 Usage guidelines Configuring URPF in interface view takes effect only on the interface You can use the display ip interface command to view statis...

Page 486: ...ps mode enable Use fips mode enable to enable FIPS mode Use undo fips mode enable to disable FIPS mode Syntax fips mode enable undo fips mode enable Default The FIPS mode is disabled Views System view Default command level 2 System level Usage guidelines The FIPS mode complies with FIPS 140 2 After FIPS mode is enabled delete the FIPS 140 2 incompliant local user service type Telnet HTTP or FTP be...

Page 487: ...e FIPS mode Sysname system view Sysname fips mode enable FIPS mode change requires a device reboot Continue Y N y Modify the configuration to be fully compliant with FIPS mode save the configuration to the next startup configuration file and then reboot to enter FIPS mode Disable FIPS mode Sysname system view Sysname undo fips mode enable FIPS mode change requires a device reboot Continue Y N y Mo...

Page 488: ...e self test fails the device automatically reboots Examples Trigger a self test on the cryptographic algorithms Sysname system view Sysname fips self test Self tests are running Please wait Self tests succeeded ...

Page 489: ...r all GDOI KS groups Examples Display KS information for the GDOI KS group abc Sysname display gdoi ks group abc Group Name abc Group identity 8 Group members 0 Redundancy Enabled Local address 105 112 100 2 Local version 1 0 Local priority 10 Local role Primary Hello interval 20 sec Hello number 3 Retransmit interval 10 sec Retransmit attempts 2 Rekey transport type Multicast Rekey lifetime 300 s...

Page 490: ... 1 IPsec rekey lifetime 300 sec Profile name profile wwl ACL configured xf Group Name xyz Group identity 18 Group members 0 Redundancy Enabled Local address 105 112 100 2 Local version 1 0 Local priority 10 Local role Primary Hello interval 20 sec Hello number 3 Retransmit interval 10 sec Retransmit attempts 2 Rekey transport type Multicast Rekey lifetime 300 sec Rekey retransmit period 10 sec Rek...

Page 491: ...ransmit interval Redundancy protocol packet retransmission interval in seconds Retransmit attempts Number of redundancy protocol packet retransmissions Rekey transport type Rekey transport type Multicast or Unicast IPsec sequence number Sequence number of the IPsec policy IPsec rekey lifetime IPsec SA lifetime When the lifetime is about to expire the KS sends rekey messages to update the TEK Profi...

Page 492: ... rule 2 deny ip ACL xyz rule 0 permit ip source 1 1 3 0 0 0 0 255 destination 2 2 4 0 0 0 0 255 Table 84 Command output Field Description Group Name GDOI KS group name rule Rule in the ACL display gdoi ks members Use display gdoi ks members to display information about online GMs in GDOI KS groups Syntax display gdoi ks members group group name ip ip address Views User view Default command level 1...

Page 493: ...0 Group member version 1 0 Group ID 8888 Key server ID 90 1 1 1 Group member ID 80 1 1 101 Group member version Unknown Group ID 8888 Key server ID 90 1 1 1 Table 85 Command output Field Description Group Name GDOI KS group name Group member ID ID of the GM in the GDOI KS group Group member version GM version If no GM version is obtained this field displays Unknown Group ID ID of the GDOI KS group...

Page 494: ... 1 1 KEK policy Rekey transport type Unicast SPI 0xB2DAFC4C36ABC9D416BB15614DCE9F60 Encryption algorithm AES CBC 128 Lifetime 30000 sec Remaining lifetime 5995 sec Signature algorithm RSA Signature key name REKEYRSA TEK policy Encapsulation Tunnel SPI 0x3EE98709 ACL frag Transform ESP ENCRYPT DES ESP AUTH MD5 Lifetime 50000 sec Remaining lifetime 25996 sec Table 86 Command output Field Description...

Page 495: ...lt command level 1 Monitor level Parameters group group name Specifies a GDOI KS group by its name a case sensitive string of 1 to 63 characters If you do not specify this option the command displays redundancy information for all GDOI KS groups Examples Display redundancy information for all GDOI KS groups Sysname display gdoi ks redundancy Group Name handl Local address 105 112 200 1 Local versi...

Page 496: ...dress Peer version Peer KS version Peer priority Peer KS priority Peer KS role Role of the peer KS Secondary Primary Unknown Peer KS status Peer KS status Down Connected Exchange Exchanging data with the local KS Ready display gdoi ks rekey Use display gdoi ks rekey to display rekey information for GDOI KS groups Syntax display gdoi ks rekey group group name Views User view Default command level 1...

Page 497: ...rekeys retransmitted 0 Retransmit period 10 sec Number of retransmissions 2 KEK rekey lifetime 0 sec IPsec 1 lifetime 1000 sec Group Name test Rekey transport type Multicast Number of rekeys sent 0 Number of rekeys retransmitted 0 Retransmit period 10 sec Number of retransmissions 1 Multicast destination address 239 192 1 190 KEK rekey lifetime 0 sec IPsec 1 lifetime 300 sec IPsec 2 lifetime 30000...

Page 498: ...the GDOI KS group a case sensitive string of 1 to 63 characters Examples Create a GDOI KS group named abc and enter its view Sysname system view Sysname gdoi ks group abc Sysname gdoi ks group abc Related commands display gdoi ks gdoi ks redundancy port Use gdoi ks redundancy port to configure the UDP port number for listening to redundancy protocol packets Use undo gdoi ks redundancy port to rest...

Page 499: ...me Specifies a GDOI KS group by its name a case sensitive string of 1 to 63 characters If you do not specify this option the command clears KS information for all GDOI KS groups on the local KS Usage guidelines A rekey refers to the process that a KS updates the TEK or KEK key and then sends the updated key to GMs Typically a GDOI KS performs rekeys periodically A KEK rekey interval is configured ...

Page 500: ...ystem view Sysname gdoi ks group abc Sysname gdoi ks group abc identity address 202 202 202 10 Related commands identity number gdoi ks group identity number Use identity number to configure a number for the GDOI KS group Use undo identity to delete the GDOI KS group number Syntax identity number number undo identity Default No number is configured for a GDOI KS group number Views GDOI KS group vi...

Page 501: ...fies a sequence number for the IPsec policy in the range of 1 to 65535 Usage guidelines You can create multiple IPsec policies for a GDOI KS group An IPsec policy with a smaller number has a higher priority A KS can send multiple IPsec policies to GMs at a time and GMs use the IPsec policies from the one with the highest priority Deleting an IPsec policy from a GDOI KS group also deletes the TEK t...

Page 502: ...ave the same priority the KS with the highest IP address is elected as the primary KS When a KS is added to a GDOI KS group that already has a primary KS the KS can only be the secondary KS even through its priority is higher than the primary KS priority Examples Enable GDOI KS group redundancy and set the GDOI KS local priority to 10 Sysname system view Sysname gdoi ks group abc Sysname gdoi ks g...

Page 503: ...e gdoi ks group abc redundancy enable Sysname gdoi ks group abc peer address 13 1 1 1 Sysname gdoi ks group abc Related commands gdoi ks group redundancy enable source address profile GDOI KS group IPsec policy view Use profile to specify the IPsec profile to be referenced by the GDOI KS group IPsec policy Use undo profile to remove the IPsec profile referenced by the GDOI KS group IPsec policy Sy...

Page 504: ...y and load sharing One KS is the primary KS and others are secondary KSs Secondary KSs back up data for the primary KS and can accept registrations from GMs Examples Enable KS redundancy in GDOI KS group abc Sysname system view Sysname gdoi ks group abc Sysname gdoi ks group abc redundancy enable Sysname gdoi ks group abc Related commands gdoi ks group redundancy hello Use redundancy hello to conf...

Page 505: ...e election When the primary KS detects a disconnection from a secondary KS it informs the secondary KS of the disconnection through hello packets The secondary KS tries to re establish a connection with the primary KS if it receives the hello packet If the connection cannot be established primary KS re election is triggered Do not set a long hello packet sending interval Otherwise secondary KSs ca...

Page 506: ...ment packets data mergence packets data updates and data synchronization packets On a not so good network you can increase the retransmission interval or retransmission number to avoid KS split If a KS loses contact with the primary KS it will split from the KS group and elect itself as the primary KS Then the KS group might have multiple primary KSs Examples Set the redundancy protocol packets re...

Page 507: ...s of the rekey ACL Examples Specify ACL 3000 as the rekey ACL for the GDOI KS group abc Sysname system view Sysname gdoi ks group abc Sysname gdoi ks group abc rekey acl 3000 Related commands gdoi ks group source address rekey authentication Use rekey authentication to specify the key pair to be used by the KS during a rekey Use undo rekey authentication to remove the specified key pair Syntax rek...

Page 508: ...t The encryption algorithm is 3des cbc Views GDOI KS group view Default command level 2 System level Usage guidelines If you execute this command multiple times the most recent configuration takes effect Examples Configure the rekey encryption algorithm as AES CBC 192 for the GDOI KS group abc Sysname system view Sysname gdoi ks group abc Sysname gdoi ks group abc rekey encryption aes cbc 192 Rela...

Page 509: ...etransmissions and the maximum number of retransmissions Syntax rekey retransmit interval interval number number undo rekey retransmit interval number Default The retransmission interval is 10 seconds and the maximum number of retransmissions is 2 Views GDOI KS group view Default command level 2 System level Parameters interval interval Specifies the rekey retransmission interval in the range of 1...

Page 510: ...sname gdoi ks group abc rekey transport unicast Related commands gdoi ks group reset gdoi ks Use reset gdoi ks to clear GDOI KS group information including keys online GMs and the role in redundancy backup Syntax reset gdoi ks group group name Views User view Default command level 2 System level Parameters group group name Specifies a GDOI KS group by its name a case sensitive string of 1 to 63 ch...

Page 511: ...he primary KS Examples Clear GM information for the GDOI KS group abc Sysname reset gdoi ks members group abc reset gdoi ks redundancy role Use reset gdoi ks redundancy role to reset GDOI KS redundancy roles Syntax reset gdoi ks redundancy role group group name Views User view Default command level 2 System level Parameters group group name Specifies a GDOI KS group by its name a case sensitive st...

Page 512: ...o GMs which use the ACL to filter traffic so as to determine the traffic to be protected by TEKs Examples Configure IPsec policy 10 for the GDOI KS group abc and then reference ACL 3000 for the IPsec policy Sysname system view Sysname gdoi ks group abc Sysname gdoi ks group abc ipsec 10 Sysname gdoi ks group abc ipsec 10 security acl 3000 Sysname gdoi ks group abc ipsec 10 Related commands gdoi ks...

Page 513: ...interface Use client registration interface to specify a registration interface for the GM in a GDOI GM group The GM uses the registration interface to send packets to the KS Use undo client registration interface to delete the registration interface specified for the GM Syntax client registration interface interface type interface number undo client registration interface Default The registration...

Page 514: ...his option the command displays information about all GDOI GM groups Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include D...

Page 515: ...Policy Rekey transport type Multicast Lifetime sec 159 Encrypt algorithm AES Key size 128 Sig hash algorithm SHA1 Sig key length bit 1024 TEK Policy Interface GigabitEthernet1 0 1 IPsec SA SPI 0x9AE5951E 2598737182 Transform ESP ENCRYPT AES 128 ESP AUTH SHA1 SA timing remaining key lifetime sec 190 Anti replay detection Disabled IPsec SA SPI 0x12C55CFF 314924287 Transform ESP ENCRYPT AES 128 ESP A...

Page 516: ... of unicast rekeys received This field is displayed only when the GDOI GM group is a unicast group Rekey ACKs sent Number of rekey ACK messages sent This field is displayed only when the GDOI GM group is a unicast group Allowable rekey cipher The rekey encryption algorithm that the GM allows Any indicates that the GM allows all encryption algorithms Allowable rekey hash The rekey hash algorithm th...

Page 517: ...n is enabled anti replay window size counter based Traffic based anti replay window size 32 64 128 256 512 or 1024 in packets This field is displayed only when anti replay detection is enabled display gdoi gm acl Use display gdoi gm acl to display ACL information for GMs Syntax display gdoi gm acl download local group group name begin exclude include regular expression Views Any view Default comma...

Page 518: ...01 rule 0 deny ip source 10 1 1 0 0 0 0 255 destination 10 1 1 0 0 0 0 255 Group Name 123 ACL Downloaded From KS 12 1 1 100 rule 1 permit ip source 13 1 1 0 0 0 0 255 destination 13 1 2 0 0 0 0 255 Display the ACL information that GMs downloaded from the KS Sysname display gdoi gm acl download Group Name abc ACL Downloaded From KS 12 1 1 100 rule 0 permit ip rule 1 permit ip source 12 1 1 0 0 0 0 ...

Page 519: ...put by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifi...

Page 520: ...ault command level 1 Monitor level Parameters group group name Displays brief GM information about a GDOI GM group The group name argument is the GDOI GM group name a case sensitive string of 1 to 63 characters If you do not specify this option the command displays information about brief information about all GMs Filters command output by specifying a regular expression For more information about...

Page 521: ... of registration attempts Last rekey from The KS from which the GM receives the last rekey message Last rekey seq num Sequence number of the last received rekey message Multicast rekeys received Number of multicast rekeys received This field is displayed only when the GDOI GM group is a multicast group Unicast rekeys received Number of unicast rekeys received This field is displayed only when the ...

Page 522: ... matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display the public key information received by all GMs Sysname display gdoi g...

Page 523: ... Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Examples Display brief rekey information of all GMs Sysna...

Page 524: ... ID of the rekey SA My Cookie Local cookie of the rekey SA His Cookie Peer cookie of the rekey SA New Information about the new rekey SA Current Information about the currently used rekey SA Previous Information about the rekey SA used last time gdoi gm group Use gdoi gm group to create a GDOI GM group and enter GDOI GM group view Use undo gdoi gm group to delete a GDOI GM group Syntax gdoi gm gro...

Page 525: ...ies the name of a GDOI GM group a case sensitive string of 1 to 63 characters The group must have existed Usage guidelines A GDOI IPsec policy can reference only one GDOI GM group If you configure this command for multiple times the last configuration takes effect GDOI IPsec policy entries of different GDOI IPsec policies can reference the same GDOI GM group but those of the same GDOI IPsec policy...

Page 526: ...DOI GM group If you execute this command multiple times the most recent configuration takes effect Examples Set the ID of GDOI GM group abc to 123456 Sysname system view Sysname gdoi gm group abc Sysname gdoi gm group abc identity number 123456 Configure the ID of GDOI GM group def as 202 202 202 10 Sysname system view Sysname gdoi gm group def Sysname gdoi gm group def identity address 202 202 20...

Page 527: ...P address Syntax server address ip address undo server address ip address Default No KS IP address is specified Views GDOI GM group view Default command level 2 System level Parameters ip address Specifies the IP address of the KS Usage guidelines You must specify KSs for GMs in a GDOI GM group A GDOI GM group can have up to eight KS addresses A GM first sends a registration request to the first s...

Page 528: ...ast one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field nam...

Page 529: ... Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gatewa...

Page 530: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 531: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 532: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 533: ... 416 attribute 227 attribute 25 car 51 authentication default 9 authentication dvpn 9 authentication lan access 10 authentication login 11 authentication portal 12 authentication ppp 13 authentication super 14 authentication algorithm 302 authentication method 302 authorization command 15 authorization default 16 authorization dvpn 17 authorization lan access 17 authorization login 18 authorizatio...

Page 534: ...splay gdoi gm rekey 510 display gdoi ks 476 display gdoi ks acl 478 display gdoi ks members 479 display gdoi ks policy 480 display gdoi ks redundancy 482 display gdoi ks rekey 483 display hwtacacs 85 display ike dpd 304 display ike peer 305 display ike proposal 306 display ike sa 307 display ip source binding 452 display ipsec policy 253 display ipsec policy template 258 display ipsec profile 260 ...

Page 535: ...l http activex blocking acl 404 firewall http activex blocking enable 405 firewall http activex blocking suffix 405 firewall http java blocking acl 406 firewall http java blocking enable 406 firewall http java blocking suffix 407 firewall http url filter host acl 408 firewall http url filter host default 408 firewall http url filter host enable 409 firewall http url filter host ip address 409 fire...

Page 536: ...3 P password 46 password 195 password control aging composition history length enable 197 password control aging 198 password control alert before expire 199 password control authentication timeout 199 password control complexity 200 password control composition 200 password control enable 202 password control expired user login 202 password control history 203 password control length 203 password...

Page 537: ... radius client 65 radius nas ip 66 radius scheme 67 radius trap 67 redundancy enable 491 redundancy hello 491 redundancy retransmit 492 rekey acl 493 rekey authentication 494 rekey encryption 495 rekey lifetime 495 rekey retransmit 496 rekey transport unicast 497 Remote support 518 remote address 324 remote name 325 remove 346 rename 347 reset arp detection statistics 466 reset attack defense stat...

Page 538: ... server 355 ssh client first time enable 355 ssh client ipv6 source 356 ssh client source 357 ssh server authentication retries 333 ssh server authentication timeout 333 ssh server compatible ssh1x enable 334 ssh server enable 335 ssh server rekey interval 335 ssh user 336 ssh2 357 ssh2 ipv6 359 state 251 state ISP domain view 35 state local user view 48 state primary 78 state secondary 78 stop ac...

Search results

Summary of Contents for FlexNetwork HSR6800 series

Reviews:

Related manuals for FlexNetwork HSR6800 series

Brands by name

Popular brands

HPE FlexNetwork HSR6800 series, Security Command Reference

Search results

Summary of Contents for FlexNetwork HSR6800 series

Reviews:

Related manuals for FlexNetwork HSR6800 series

Brands by name

Popular brands