DL manuals
H3C
Network Router
MSR Series
Command Reference Manual

H3C MSR Series Command Reference Manual

Other manuals for MSR Series: User Manual

Manual is about: Comware 7 Security

Page of 1187

Download

Print this page

Bookmark us

H3C MSR Router Series

Comware 7 Security Command Reference

New H3C Technologies Co., Ltd.

http://www.h3c.com.hk

Software version: MSR-CMW710-R0605

Document version: 6W200-20170608

1 2 3 4 5 6 7 Next › »

Summary of MSR Series

Page 1
H3c msr router series comware 7 security command reference new h3c technologies co., ltd. Http://www.H3c.Com.Hk software version: msr-cmw710-r0605 document version: 6w200-20170608.
Page 2
Copyright © 2017, new h3c technologies co., ltd. And its licensors all rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of new h3c technologies co., ltd. Trademarks h3c, , h3cs, h3cie, h3cne, aolynk, , h 3 care, , irf, ...
Page 3: Preface
Preface this command reference describes the commands for configuring, displaying, and maintaining security features. This preface includes the following topics about the documentation: • audience . • conventions • obtaining documentation • technical support • documentation feedback audience this do...
Page 4
Convention description > multi-level menus are separated by angle brackets. For example, file > create > folder. Symbols convention description warning! An alert that calls attention to important information that if not understood or followed can result in personal injury. Caution: an alert that cal...
Page 5
Examples provided in this document examples in this document might use devices that differ from your device in hardware model, configuration, or software version. It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your d...
Page 6
I contents aaa commands ··············································································· 1 general aaa commands ············································································································· 1 aaa nas-id profile ··········································...
Page 7
Ii email ······························································································································ 66 full-name ························································································································· 67 group ····················...
Page 8
Iii display hwtacacs scheme ·································································································· 121 hwtacacs nas-ip ·············································································································· 123 hwtacacs scheme ······················...
Page 9
Iv dot1x smarton retry ·········································································································· 182 dot1x smarton switchid ····································································································· 183 dot1x smarton timer supp-timeout ····...
Page 10
V display portal packet statistics ···························································································· 260 display portal redirect statistics ··························································································· 265 display portal rule ·················...
Page 11
Vi portal logout-record export ································································································ 354 portal logout-record max ··································································································· 356 portal mac-trigger-server ·············...
Page 12
Vii password-control enable ··································································································· 414 password-control expired-user-login ···················································································· 415 password-control history ··················...
Page 13
Viii pki domain ····················································································································· 479 pki entity ························································································································ 480 pki export ···············...
Page 14
Ix reset ipsec statistics ········································································································· 557 reverse-route dynamic ······································································································ 557 reverse-route preference ··········...
Page 15
X certificate domain ············································································································ 614 config-exchange ·············································································································· 615 display ikev2 policy ··············...
Page 16
Xi display ssh user-information ······························································································ 674 scp server enable ············································································································ 675 sftp server enable ···················...
Page 17
Xii pki-domain ····················································································································· 727 prefer-cipher ··················································································································· 728 server-verify enable ········...
Page 18
Xiii message-server ·············································································································· 780 mtu······························································································································· 781 new-content ··················...
Page 19
Xiv description (nbar rule view) ····························································································· 833 destination ····················································································································· 834 direction ·························...
Page 20
Xv display connection-limit ipv6-stat-nodes ··············································································· 925 display connection-limit statistics ························································································ 929 display connection-limit stat-nodes ·······...
Page 21
Xvi display attack-defense policy ipv6 ······················································································ 1002 display attack-defense scan attacker ip ··············································································· 1005 display attack-defense scan attacker ipv6 ··...
Page 22
Xvii syn-flood threshold ········································································································· 1087 udp-flood action ············································································································· 1087 udp-flood detect ···············...
Page 23
Xviii crypto engine commands ····························································· 1129 display crypto-engine ······································································································ 1129 display crypto-engine statistics ·········································...
Page 24: Aaa Commands
1 aaa commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. Ipv6-related parameters are not suppor...
Page 25
2 aaa session-limit use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. Syntax in non-fips mode: aaa sessio...
Page 27
4 accounting command use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command default the default accounting methods of the isp domain are used for ...
Page 30
7 [sysname] domain test [sysname-isp-test] accounting ipoe local # in isp domain test, perform radius accounting for ipoe users based on scheme rd and use local accounting as the backup. System-view [sysname] domain test [sysname-isp-test] accounting ipoe radius-scheme rd local # in isp domain test,...
Page 31
8 local: performs local accounting. None: does not perform accounting. Radius-scheme radius-scheme-name: specifies a radius scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines you can specify one primary accounting method and multiple backup accounting methods. When...
Page 33
10 related commands accounting default hwtacacs scheme local-user radius scheme accounting portal use accounting portal to specify accounting methods for portal users. Use undo accounting portal to restore the default. Syntax in non-fips mode: accounting portal { broadcast radius-scheme radius-schem...
Page 34
11 accounting when the radius server is invalid. The device does not perform accounting when both of the previous methods are invalid. The following guidelines apply to broadcast accounting: • the device sends accounting requests to the primary accounting servers in the specified broadcast radius sc...
Page 35
12 undo accounting ppp default the default accounting methods of the isp domain are used for ppp users. Views isp domain view predefined user roles network-admin parameters broadcast: broadcasts accounting requests to servers in radius schemes. Radius-scheme radius-scheme-name1: specifies the primar...
Page 36
13 # in isp domain test, broadcast accounting requests of ppp users to radius servers in schemes rd1 and rd2, and use local accounting as the backup. System-view [sysname] domain test [sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local related commands accounting de...
Page 39
16 system-view [sysname] domain test [sysname-isp-test] accounting update-fail online authentication advpn use authentication advpn to specify authentication methods for advpn users. Use undo authentication advpn to restore the default. Syntax in non-fips mode: authentication advpn { local [ none ] ...
Page 40
17 [sysname-isp-test] authentication advpn radius-scheme rd local related commands authentication default local-user radius scheme authentication default use authentication default to specify default authentication methods for an isp domain. Use undo authentication default to restore the default. Sy...
Page 41
18 when the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default radius authentication method and two backup methods (local authentication and no a...
Page 42
19 when the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ike radius-scheme radius-scheme-name local none command specifies a primary radius authentication method and two backup methods (local authentication and no authenticatio...
Page 43
20 radius-scheme radius-scheme-name: specifies a radius scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines you can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use t...
Page 44
21 parameters ldap-scheme ldap-scheme-name: specifies an ldap scheme by its name, a case-insensitive string of 1 to 32 characters. Local: performs local authentication. None: does not perform authentication. Radius-scheme radius-scheme-name: specifies a radius scheme by its name, a case-insensitive ...
Page 47
24 [sysname-isp-test] authentication portal radius-scheme rd local related commands authentication default ldap scheme local-user radius scheme authentication ppp use authentication ppp to specify authentication methods for ppp users. Use undo authentication ppp to restore the default. Syntax in non...
Page 48
25 examples # in isp domain test, perform local authentication for ppp users. System-view [sysname] domain test [sysname-isp-test] authentication ppp local # in isp domain test, perform radius authentication for ppp users based on scheme rd and use local authentication as the backup. System-view [sy...
Page 49
26 usage guidelines you can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication sslvpn radius-scheme radius-scheme-name local none command ...
Page 50
27 usage guidelines you can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role authentication, the following rules apply: • if an hwtacacs scheme is spec...
Page 51
28 parameters local: performs local authorization. None: does not perform authorization. Radius-scheme radius-scheme-name: specifies a radius scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines the radius authorization configuration takes effect only when authentica...
Page 52
29 views isp domain view predefined user roles network-admin parameters hwtacacs-scheme hwtacacs-scheme-name: specifies an hwtacacs scheme by its name, a case-insensitive string of 1 to 32 characters. Local: performs local authorization. None: does not perform authorization. The authorization server...
Page 53
30 authorization default use authorization default to specify default authorization methods for an isp domain. Use undo authorization default to restore the default. Syntax in non-fips mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [...
Page 54
31 authorization by default and performs local authorization when the radius server is invalid. The device does not perform authorization when both of the previous methods are invalid. Examples # in isp domain test, use radius scheme rd as the primary default authorization method and use local autho...
Page 55
32 examples # in isp domain test, perform local authorization for ike extended authentication. System-view [sysname] domain test [sysname-isp-test] authorization ike local related commands authorization default local-user authorization ipoe use authorization ipoe to specify authorization methods for...
Page 56
33 examples # in isp domain test, perform local authorization for ipoe users. System-view [sysname] domain test [sysname-isp-test] authorization ipoe local # in isp domain test, perform radius authorization for ipoe users based on scheme rd and use local authorization as the backup. System-view [sys...
Page 57
34 when the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary radius authorization method and two backup methods (local authorization and no authoriza...
Page 58
35 parameters hwtacacs-scheme hwtacacs-scheme-name: specifies an hwtacacs scheme by its name, a case-insensitive string of 1 to 32 characters. Local: performs local authorization. None: does not perform authorization. The following default authorization information applies after users pass authentic...
Page 61
38 [sysname] domain test [sysname-isp-test] authorization ppp radius-scheme rd local related commands authorization default hwtacacs scheme local-user radius scheme authorization sslvpn use authorization sslvpn to specify authorization methods for ssl vpn users. Use undo authorization sslvpn to rest...
Page 62
39 examples # in isp domain test, perform local authorization for ssl vpn users. System-view [sysname] domain test [sysname-isp-test] authorization sslvpn local # in isp domain test, perform ldap authorization for ssl vpn users based on scheme ldp and use local authorization as the backup. System-vi...
Page 63
40 inbound: specifies the upload rate of users. Outbound: specifies the download rate of users. Cir committed-information-rate: specifies the committed information rate in kbps, in the range of 1 to 4194303. Pir peak-information-rate: specifies the peak information rate in kbps, in the range of 1 to...
Page 64
41 you configure the attribute in a portal preauthentication domain, the user profile applies before portal authentication. This option is applicable only to ipoe, lan, portal, and ppp users. Vpn-instance vpn-instance-name: specifies an mpls l3vpn instance to which the users belong. The vpn-instance...
Page 65
42 usage guidelines this command takes effect only when the device acts as a pppoe server or l2tp lns. A pppoe or l2tp user might request multiple services of different ip address types. By default, the device logs off the user if the user does not obtain an ipv4 address. This command enables the de...
Page 66
43 examples # in isp domain test, set the dhcpv6 request timeout timer to 90 seconds for pppoe and l2tp users. System-view [sysname] domain test [sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90 related commands basic-service-ip-type display domain use display domain to display isp domain configura...
Page 67
44 login authentication scheme: radius=rad login authorization scheme: hwtacacs=hw super authentication scheme: radius=rad command authorization scheme: hwtacacs=hw lan access authentication scheme: radius=r4 ppp accounting scheme: radius=r1, (radius=r2), hwtacacs=tc, local portal authentication sch...
Page 68
45 field description default authentication scheme default authentication method. Default authorization scheme default authorization method. Default accounting scheme default accounting method. Accounting start failure action access control for users that encounter accounting-start failures: • onlin...
Page 69
46 field description user profile name of the authorization user profile. Inbound car authorized inbound car: • cir—committed information rate in bps. • pir—peak information rate in bps. Outbound car authorized outbound car: • cir—committed information rate in bps. • pir—peak information rate in bps...
Page 70
47 field description ike authentication scheme ike extended authentication methods. Ike authorization scheme authorization methods for ike extended authentication. Ipoe authentication scheme authentication methods for ipoe users. Ipoe authorization scheme authorization methods for ipoe users. Ipoe a...
Page 71
48 use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users. Examples # create an isp domain named test and enter isp domain view. System-view [sysname] domain test [sysname-isp-test] related commands display...
Page 72
49 domain domain if-unknown use domain if-unknown to specify an isp domain that accommodates users that are assigned to nonexistent domains. Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-domain-name undo domain if-unknown default no isp domain is specified to accomm...
Page 73
50 nas-id bind vlan use nas-id bind vlan to bind a nas-id with a vlan. Use undo nas-id bind vlan to remove a nas-id and vlan binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id default no nas-id and vlan bindings exist. Views nas-id profile view prede...
Page 74
51 predefined user roles network-admin parameters hsi: specifies the high-speed internet (hsi) service. This service is applicable to ppp, 802.1x, and ipoe leased line users. Stb: specifies the set top box (stb) service. This service is applicable to stb users. Voip: specifies the voice over ip (voi...
Page 75
52 • if the session-time include-idle-time command is configured, the device adds the idle cut period or user online detection interval to the actual online duration. The user online detection period is supported only by portal authentication. The online duration sent to the server is longer than th...
Page 77
54 default the number of concurrent logins using the local user name is not limited. Views local user view predefined user roles network-admin parameters max-user-number: specifies the maximum number of concurrent logins, in the range of 1 to 1024. Usage guidelines this command takes effect only whe...
Page 78
55 predefined user roles network-admin parameters acl acl-number: specifies an authorization acl. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this acl. Callback-number callback-number: specifies...
Page 79
56 work-directory directory-name: specifies an ftp, sftp, or scp working directory. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist. Usage guidelines configure authorization attributes according to the application environments and pur...
Page 80
57 [sysname] local-user abc class network [sysname-luser-network-abc] authorization-attribute vlan 2 # configure the authorized vlan of user group abc as vlan 3. System-view [sysname] user-group abc [sysname-ugroup-abc] authorization-attribute vlan 3 # assign the security-audit user role to device m...
Page 81
58 usage guidelines to perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication. Binding attribute check takes effect on all ...
Page 82
59 [sysname] local-user abc class network guest [sysname-luser-network(guest)-abc] company yyy related commands display local-user description use description to configure a description for a network access user. Use undo description to restore the default. Syntax description text undo description d...
Page 83
60 parameters user-name user-name: specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The name cannot contain a domain name. If you do not specify a guest, this command displays pending registration requests for all local guests. Usage guidelines on the web regi...
Page 85
62 password control configurations: password aging: enabled (3 days) network access user jj: state: active service type: lan-access user group: system bind attributes: ip address: 2.2.2.2 location bound: gigabitethernet1/0/1 mac address: 0001-0001-0001 vlan id: 2 calling number: 2:2 authorization at...
Page 86
63 field description ip address ip address of the local user. Location bound binding port of the local user. Mac address mac address of the local user. Vlan id binding vlan of the local user. Calling number calling number of the isdn user. Authorization attributes authorization attributes of the loc...
Page 87
64 field description password complexity this field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: • whether the password can contain the username or the reverse of the username. • whether the password can contain any char...
Page 88
65 user group: system authorization attributes: work directory: flash: user group: jj authorization attributes: idle timeout: 2 minutes callback number: 2:2 work directory: flash:/ acl number: 2000 vlan id: 2 user profile: pp ssl vpn policy group: policygroup1 password control configurations: passwo...
Page 89
66 field description password composition this field appears only when password composition checking is enabled. The field also displays the following information in parentheses: • minimum number of character types that the password must contain. • minimum number of characters from each type in the ...
Page 90
67 full-name use full-name to configure the name of a local guest. Use undo full-name to restore the default. Syntax full-name name-string undo full-name default no name is configured for a local guest. Views local guest view predefined user roles network-admin parameters name-string: specifies the ...
Page 91
68 system-view [sysname] local-user 111 class manage [sysname-luser-manage-111] group abc related commands display local-user local-guest auto-delete enable use local-guest auto-delete enable to enable the guest auto-delete feature. Use undo local-guest auto-delete enable to restore the default. Syn...
Page 92
69 predefined user roles network-admin parameters to: specifies the email recipient. Guest: specifies the local guest. Manager: specifies the guest manager. Sponsor: specifies the guest sponsor. Body body-string: configures the body content. The body-string argument is a case-sensitive string of 1 t...
Page 93
70 predefined user roles network-admin parameters email-address: specifies the email sender address, a case-sensitive string of 1 to 255 characters. Usage guidelines if you do not specify the email sender address, the device cannot send email notifications. The device supports only one email sender ...
Page 94
71 related commands local-guest email format local-guest email sender local-guest manager-email local-guest send-email local-guest generate use local-guest generate to create local guests in batch. Syntax local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suf...
Page 95
72 expiration-time: specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00. Usage ...
Page 96
73 examples # configure the email address of the guest manager as xyz@yyy.Com . System-view [sysname] local-guest manager-email xyz@yyy.Com related commands local-guest email format local-guest email sender local-guest email smtp-server local-guest send-email local-guest send-email use local-guest s...
Page 97
74 default the setting is 24 hours. Views system view predefined user roles network-admin parameters time-value: sets the waiting-approval timeout timer in the range of 1 to 720, in hours. Usage guidelines the waiting-approval timeout timer starts when the registration request of a local guest is se...
Page 98
75 all: specifies all users. Service-type: specifies the local users that use a specific type of service. • advpn: advpn tunnel users. • ftp: ftp users. • http: http users. • https: https users. • ike: ike users that access the network through ike extended authenticatio n. • ipoe: ipoe users that ac...
Page 99
76 views system view predefined user roles network-admin parameters url url-string: specifies the url of the destination file, a case-insensitive string of 1 to 255 characters. Usage guidelines you can import the user account information back to the device or to other devices that support the local-...
Page 100
77 parameters url url-string: specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters. Validity-datetime: specifies the guest validity period of the local guests. The expiration date and time must be later than the start date and time. Start-date: ...
Page 101
78 jack,abc,visit,jack chen,etp,jack@etp.Com,1399899,"the manager of etp, come from tp.",sam wang,ministry of personnel,sam@yy.Com the device supports tftp and ftp file transfer modes. Table 6 describes the valid url formats of the .Csv file. Table 6 url formats protocol url format description tftp ...
Page 102
79 predefined user roles network-admin parameters cipher: specifies a password in encrypted form. Hash: specifies a password encrypted by the hash algorithm. Simple: specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted fo...
Page 103
80 syntax phone phone-number undo phone default no phone number is specified for a local guest. Views local guest view predefined user roles network-admin parameters phone-number: specifies the phone number, a string of 1 to 32 characters that can contain only digits and hyphens (-). Examples # spec...
Page 105
82 [sysname] local-user user1 class manage [sysname-luser-manage-user1] service-type telnet [sysname-luser-manage-user1] service-type ftp related commands display local-user sponsor-department use sponsor-department to specify the department of the guest sponsor for a local guest. Use undo sponsor-d...
Page 106
83 predefined user roles network-admin parameters email-string: specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with rfc 822. Examples # specify the email address as sam@a.Com for the guest sponsor of local guest abc. System-view [sysname] local-u...
Page 107
84 undo state default a local user is in active state. Views local user view predefined user roles network-admin parameters active: places the local user in active state to allow the local user to request network services. Block: places the local user in blocked state to prevent the local user from ...
Page 108
85 you can modify settings for the system-defined user group system, but you cannot delete the user group. Examples # create a user group named abc and enter user group view. System-view [sysname] user-group abc [sysname-ugroup-abc] related commands display user-group validity-datetime use validity-...
Page 109
86 system-view [sysname] local-user abc class network [sysname-luser-network-abc] validity-datetime 2014/10/01 00:00:00 to 2015/10/02 12:00:00 related commands display local-user radius commands aaa device-id use aaa device-id to configure the device id. Use undo aaa device-id to restore the default...
Page 110
87 default the accounting-on feature is disabled. Views radius scheme view predefined user roles network-admin parameters interval interval: specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default settin...
Page 111
88 usage guidelines the extended accounting-on feature enhances the accounting-on feature by applying to the scenario that an spu reboots but the device does not reboot. For the extended accounting-on feature to take effect, you must enable the accounting-on feature. The extended accounting-on featu...
Page 112
89 usage guidelines use the loose check method only when the server does not issue login-service attribute values 50, 51, and 52 for ssh, ftp, and terminal users. Examples # configure the login-service attribute check method as loose for ssh, ftp, and terminal users in radius scheme radius1. System-...
Page 114
91 parameters ip ipv4-address: specifies a dac by its ipv4 address. Ipv6 ipv6-address: specifies a dac by its ipv6 address. Key: specifies the shared key for secure communication between the radius dac and das. Make sure the shared key is the same as the key configured on the radius dac. If the radi...
Page 116
93 state: active test profile: 132 probe username: test probe interval: 60 minutes primary accounting server: ip : 1.1.1.1 port: 1813 vpn : not configured state: active second authentication server: ip : 3.3.3.3 port: 1812 vpn : not configured state: block test profile: not configured second account...
Page 117
94 field description port service port number of the server. If no port number is specified, this field displays the default port number. Vpn mpls l3vpn instance to which the server belongs. If no vpn instance is specified for the server, this field displays not configured. State status of the serve...
Page 118
95 field description attribute remanent-volume unit data measurement unit for the radius remanent_volume attribute. Display radius statistics use display radius statistics to display radius packet statistics. Syntax display radius statistics views any view predefined user roles network-admin network...
Page 119
96 field description account start number of start-accounting packets. Account update number of accounting update packets. Account stop number of stop-accounting packets. Terminate request number of packets for logging off users forcibly. Set policy number of packets for updating user authorization ...
Page 120
97 usage guidelines the shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the radius servers. The shared keys specified for specific radius servers take precedence over the shared key specified with this comman...
Page 121
98 as a best practice to avoid radius packet loss caused by physical port errors, specify a loopback interface address as the source ip address for outgoing radius packets. If you use both the nas-ip command and radius nas-ip command, the following guidelines apply: • the setting configured by using...
Page 122
99 [sysname] radius dynamic-author server [sysname-radius-da-server] port 3790 related commands client radius dynamic-author server primary accounting (radius scheme view) use primary accounting to specify the primary radius accounting server. Use undo primary accounting to restore the default. Synt...
Page 123
100 the shared key configured by using this command takes precedence over the shared key configured with the key accounting command. If the specified server resides on an mpls l3vpn, specify the vpn instance by using the vpn-instance vpn-instance-name option. The vpn instance specified by this comma...
Page 124
101 key: specifies the shared key for secure communication with the primary radius authentication server. Cipher: specifies the key in encrypted form. Simple: specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. String: spe...
Page 125
102 radius dscp use radius dscp to change the dscp priority of radius packets. Use undo radius dscp to restore the default. Syntax radius [ ipv6 ] dscp dscp-value undo radius [ ipv6 ] dscp default the dscp priority of radius packets is 0. Views system view predefined user roles network-admin paramet...
Page 126
103 usage guidelines when you enable the radius das feature, the device listens to udp port 3799 to receive dae packets from specified dacs. Examples # enable the radius das feature and enter radius das view. System-view [sysname] radius dynamic-author server [sysname-radius-da-server] related comma...
Page 127
104 if you use both the nas-ip command and radius nas-ip command, the following guidelines apply: • the setting configured by the nas-ip command in radius scheme view applies only to the radius scheme. • the setting configured by the radius nas-ip command in system view applies to all radius schemes...
Page 128
105 [sysname] radius scheme radius1 [sysname-radius-radius1] related commands display radius scheme radius session-control client use radius session-control client to specify a radius session-control client. Use undo radius session-control client to remove the specified radius session-control client...
Page 129
106 the ip, vpn instance, and shared key settings of the session-control client must be the same as the settings of the radius server. The system supports multiple radius session-control clients. Examples # specify a session-control client with ip address 10.110.1.2 and shared key 12345 in plaintext...
Page 130
107 predefined user roles network-admin parameters profile-name: specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters. Username name: specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters. Interv...
Page 131
108 retry use retry to set the maximum number of attempts for transmitting a radius packet to a single radius server. Use undo retry to restore the default. Syntax retry retries undo retry default the maximum number of radius packet transmission attempts is 3. Views radius scheme view predefined use...
Page 132
109 retry realtime-accounting use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retries undo retry realtime-accounting default the maximum number of accounting attempts is 5. Vie...
Page 134
111 if you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for acco...
Page 135
112 port-number: sets the service port number of the secondary radius authentication server. The value range for the udp port number is 1 to 65535. The default setting is 1812. Key: specifies the shared key for secure communication with the secondary radius authentication server. Cipher: specifies t...
Page 136
113 [sysname-radius-radius2] secondary authentication 10.110.1.2 1812 related commands display radius scheme key (radius scheme view) primary authentication (radius scheme view) radius-server test-profile vpn-instance (radius scheme view) snmp-agent trap enable radius use snmp-agent trap enable radi...
Page 137
114 • radius server reachable notification—the radius server can be reached. Radius generates this notification for a previously blocked radius server after the quiet timer expires. • excessive authentication failures notification—radius generates this notification when the number of authentication ...
Page 138
115 examples # in radius scheme radius1, set the primary authentication server to the blocked state. System-view [sysname] radius scheme radius1 [sysname-radius-radius1] state primary authentication block related commands display radius scheme radius-server test-profile state secondary state seconda...
Page 139
116 when the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary...
Page 140
117 [sysname] radius scheme radius1 [sysname-radius-radius1] timer quiet 10 related commands display radius scheme timer realtime-accounting (radius scheme view) use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax ...
Page 141
118 related commands retry realtime-accounting timer response-timeout (radius scheme view) use timer response-timeout to set the radius server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout default the...
Page 143
120 use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance default the radius scheme belongs to the public network. Views radius scheme view predefined user roles network-admin parameters vpn-instance-name: specifies an mpls l3vpn instance by the name, ...
Page 145
122 single-connection: enabled primary author server: ip : 2.2.2.2 port: 49 state: active vpn instance: 2 single-connection: disabled primary acct server: ip : not configured port: 49 state: block vpn instance: not configured single-connection: disabled vpn instance : 2 nas ip address : 2.2.2.3 serv...
Page 146
123 field description response timeout interval(seconds) hwtacacs server response timeout period, in seconds. Username format format for the usernames sent to the hwtacacs server. Possible values include: • with-domain—includes the domain name. • without-domain—excludes the domain name. • keep-origi...
Page 147
124 as a best practice to avoid hwtacacs packet loss caused by physical port errors, specify a loopback interface address as the source ip address for outgoing hwtacacs packets. If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: • the setting configured b...
Page 148
125 examples # create an hwtacacs scheme named hwt1 and enter hwtacacs scheme view. System-view [sysname] hwtacacs scheme hwt1 [sysname-hwtacacs-hwt1] related commands display hwtacacs scheme key (hwtacacs scheme view) use key to set the shared key for secure hwtacacs authentication, authorization, ...
Page 149
126 [sysname] hwtacacs scheme hwt1 [sysname-hwtacacs-hwt1] key authentication simple 123456testauth&! # set the shared key to 123456testautr&! In plaintext form for secure hwtacacs authorization communication. [sysname-hwtacacs-hwt1] key authorization simple 123456testautr&! # set the shared key to ...
Page 150
127 • the setting configured by using the nas-ip command in hwtacacs scheme view applies only to the hwtacacs scheme. • the setting configured by using the hwtacacs nas-ip command in system view applies to all hwtacacs schemes. • the setting in hwtacacs scheme view takes precedence over the setting ...
Page 151
128 • in non-fips mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters. • in fips mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 charac...
Page 152
129 views hwtacacs scheme view predefined user roles network-admin parameters ipv4-address: specifies the ipv4 address of the primary hwtacacs authentication server. Ipv6 ipv6-address: specifies the ipv6 address of the primary hwtacacs authentication server. Port-number: specifies the service port n...
Page 153
130 related commands display hwtacacs scheme key (hwtacacs scheme view) secondary authentication (hwtacacs scheme view) vpn-instance (hwtacacs scheme view) primary authorization use primary authorization to specify the primary hwtacacs authorization server. Use undo primary authorization to restore ...
Page 154
131 vpn-instance vpn-instance-name: specifies an mpls l3vpn instance to which the primary hwtacacs authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines make ...
Page 156
133 usage guidelines make sure that the port number and shared key settings of the secondary hwtacacs accounting server are the same as those configured on the server. An hwtacacs scheme supports a maximum of 16 secondary hwtacacs accounting servers. If the primary server fails, the device tries to ...
Page 157
134 ipv6 ipv6-address: specifies the ipv6 address of the secondary hwtacacs authentication server. Port-number: specifies the service port number of the secondary hwtacacs authentication server. The value range for the tcp port number is 1 to 65535. The default setting is 49. Key: specifies the shar...
Page 158
135 key (hwtacacs scheme view) primary authentication (hwtacacs scheme view) vpn-instance (hwtacacs scheme view) secondary authorization use secondary authorization to specify a secondary hwtacacs authorization server. Use undo secondary authorization to remove a secondary hwtacacs authorization ser...
Page 159
136 usage guidelines make sure that the port number and shared key settings of the secondary hwtacacs authorization server are the same as those configured on the server. An hwtacacs scheme supports a maximum of 16 secondary hwtacacs authorization servers. If the primary server fails, the device tri...
Page 160
137 examples # in hwtacacs scheme hwt1, set the server quiet timer to 10 minutes. System-view [sysname] hwtacacs scheme hwt1 [sysname-hwtacacs-hwt1] timer quiet 10 related commands display hwtacacs scheme timer realtime-accounting (hwtacacs scheme view) use timer realtime-accounting to set the real-...
Page 161
138 related commands display hwtacacs scheme timer response-timeout (hwtacacs scheme view) use timer response-timeout to set the hwtacacs server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout default t...
Page 162
139 views hwtacacs scheme view predefined user roles network-admin parameters keep-original: sends the username to the hwtacacs server as the username is entered. With-domain: includes the isp domain name in the username sent to the hwtacacs server. Without-domain: excludes the isp domain name from ...
Page 163
140 parameters vpn-instance-name: specifies an mpls l3vpn instance by the name, a case-sensitive string of 1 to 31 characters. Usage guidelines the vpn instance specified for an hwtacacs scheme applies to all servers in that scheme. If a vpn instance is also configured for an individual hwtacacs ser...
Page 164
141 system-view [sysname] ldap scheme test [sysname-ldap-test] attribute-map map1 related commands display ldap-scheme ldap attribute-map authentication-server use authentication-server to specify the ldap authentication server for an ldap scheme. Use undo authentication-server to restore the defaul...
Page 165
142 default no ldap authorization server is specified. Views ldap scheme view predefined user roles network-admin parameters server-name: specifies the name of an existing ldap server, a case-insensitive string of 1 to 64 characters. Usage guidelines you can specify only one ldap authorization serve...
Page 166
143 ip : 1.1.1.1 port : 111 vpn instance : not configured ldap protocol version : ldapv3 server timeout interval : 10 seconds login account dn : not configured base dn : not configured search scope : all-level user searching parameters: user object class : not configured username attribute : cn user...
Page 167
144 field description search scope user dn search scope, including: • all-level—all subdirectories. • single-level—next lower level of subdirectories under the base dn. User searching parameters user search parameters. User object class user object class for user dn search. If no user object class i...
Page 168
145 related commands ldap server ipv6 use ipv6 to configure the ipv6 address and port number of the ldap server. Use undo ipv6 to restore the default. Syntax ipv6 ipv6-address[ port port-number] [ vpn-instance vpn-instance-name ] undo ipv6 default an ldap server does not have an ipv6 address or port...
Page 169
146 undo ldap attribute-map map-name default no ldap attribute maps exist. Views system view predefined user roles network-admin parameters map-name: specifies the name of the ldap attribute map, a case-insensitive string of 1 to 31 characters. Usage guidelines execute this command multiple times to...
Page 170
147 usage guidelines an ldap scheme can be used by more than one isp domain at the same time. You can configure a maximum of 16 ldap schemes. Examples # create an ldap scheme named ldap1 and enter ldap scheme view. System-view [sysname] ldap scheme ldap1 [sysname-ldap-ldap1] related commands display...
Page 171
148 default no administrator dn is specified. Views ldap server view predefined user roles network-admin parameters dn-string: specifies the administrator dn for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines the administrator dn specified on the device m...
Page 172
149 usage guidelines this command is effective only after the login-dn command is configured. Examples # specify the administrator password as abcdefg in plaintext form for ldap server ccc. System-view [sysname] ldap server ccc [sysname-ldap-server-ccc] login-password simple abcdefg related commands...
Page 173
150 examples # in ldap attribute map map1, map a partial value string of the ldap attribute named memberof to aaa attribute named user-group. System-view [sysname] ldap attribute-map map1 [sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group related comm...
Page 174
151 search-base-dn use search-base-dn to specify the base dn for user search. Use undo search-base-dn to restore the default. Syntax search-base-dn base-dn undo search-base-dn default no base dn is specified for user search. Views ldap server view predefined user roles network-admin parameters base-...
Page 175
152 single-level: specifies that the search goes through only the next lower level of subdirectories under the base dn. Examples # specify the search scope for the ldap authentication as all subdirectories of the base dn for ldap server ccc. System-view [sysname] ldap server ccc [sysname-ldap-server...
Page 177: 802.1X Commands
154 802.1x commands this feature is supported only on the following ports: • layer 2 ethernet ports on ethernet switching modules. • fixed layer 2 ethernet ports of the following routers: msr810/810-w/810-w-db/810-lm/810-w-lm/810-lm-hk/810-w-lm-hk/810-10-poe/81 0-lms/810-lus. Msr2600-10-x1. Msr3600-...
Page 178
155 predefined user roles network-admin network-operator parameters sessions: displays 802.1x session information. Statistics: displays 802.1x statistics. Ap ap-name: specifies an ap by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_)...
Page 179
156 handshake : enabled handshake reply : disabled handshake security : disabled unicast trigger : disabled periodic reauth : disabled port role : authenticator authorization mode : auto port access control : port-based multicast trigger : enabled mandatory auth domain : not configured guest vlan : ...
Page 180
157 error packets: 0 online 802.1x users: 1 mac address auth state 0001-0000-0002 authenticated table 13 command output field description global 802.1x parameters global 802.1x configuration. 802.1x authentication whether 802.1x is enabled globally. Chap authentication performs eap termination and u...
Page 181
158 field description 802.1x authentication whether 802.1x is enabled on the port. Handshake whether the online user handshake feature is enabled on the port. Handshake reply whether the online user handshake reply feature is enabled on the port. Handshake security whether the online user handshake ...
Page 182
159 field description mac address mac addresses of the online 802.1x users. Auth state authentication status of the online 802.1x users. Ap name name of the ap with which users are associated. Radio id id of the radio with which users are associated. Ssid ssid with which users are associated. Bssid ...
Page 183
160 interface interface-type interface-number: specifies a port by its type and number. If you do not specify a port, this command displays online 802.1x user information for all ports. Slot slot-number: specifies a card by its slot number. If you do not specify a card, this command displays online ...
Page 184
161 authentication method : chap initial vlan : 1 authorization vlan : n/a authorization acl number : 3001 termination action : default session timeout period : 2 sec online from : 2013/03/02 13:14:15 online duration : 0 h 2 m 15 s # (distributed devices in standalone mode.) display information abou...
Page 185
162 online from: 2013/03/02 13:14:15 online duration: 0h 2m 15s user mac address : 0015-e9a6-7cfe ap name : ap1 radio id : 1 ssid : wlan_dot1x_ssid bssid : 0015-e9a6-7cf0 user name : ias authentication domain : 1 ipv4 address : 192.168.1.1 ipv6 address : 2000:0:0:0:1:2345:6789:abcd authentication me...
Page 186
163 field description access interface interface through which the user access the device. Ap name name of the ap with which the user is associated. Radio id id of the radio with which the user is associated. Ssid ssid with which the user is associated. Bssid id of the bss with which the user is ass...
Page 187
164 dot1x use dot1x to enable 802.1x globally or on a port. Use undo dot1x to disable 802.1x globally or on a port. Syntax dot1x undo dot1x default 802.1x is neither enabled globally nor enabled for any port. Views system view ethernet interface view predefined user roles network-admin usage guideli...
Page 188
165 parameters chap: configures the access device to perform extensible authentication protocol (eap) termination and use the challenge handshake authentication protocol (chap) to communicate with the radius server. Eap: configures the access device to relay eap packets, and supports any of the eap ...
Page 189
166 default no 802.1x auth-fail vlan exists. Views ethernet interface view predefined user roles network-admin parameters authfail-vlan-id: specifies the id of the 802.1x auth-fail vlan on the port. The value range for the vlan id is 1 to 4094. Make sure the vlan has been created and is not a super ...
Page 190
167 usage guidelines an 802.1x critical vlan accommodates users that have failed 802.1x authentication because all the radius servers in their isp domains are unreachable. To delete a vlan that has been configured as an 802.1x critical vlan, you must first use the undo dot1x critical vlan command. E...
Page 191
168 examples # specify the at sign (@) and forward slash (/) as domain name delimiters. System-view [sysname] dot1x domain-delimiter @/ related commands display dot1x dot1x ead-assistant enable use dot1x ead-assistant enable to enable the ead assistant feature. Use undo dot1x ead-assistant enable to...
Page 192
169 examples # enable the ead assistant feature. System-view [sysname] dot1x ead-assistant enable related commands display dot1x dot1x ead-assistant free-ip dot1x ead-assistant url dot1x ead-assistant free-ip use dot1x ead-assistant free-ip to configure a free ip. Use undo dot1x ead-assistant free-i...
Page 193
170 execute this command multiple times to configure multiple free ips. With ead assistant enabled on the device, unauthenticated 802.1x users can access the network resources in the free ip segments before they pass 802.1x authentication. Examples # configure 192.168.1.1/16 as a free ip. System-vie...
Page 194
171 when an unauthenticated user uses a web browser to access networks other than the free ip, the device redirects the user to the redirect url. The redirect url must be on the free ip subnet. If you execute this command multiple times, the most recent configuration takes effect. Examples # configu...
Page 195
172 related commands display dot1x dot1x handshake use dot1x handshake to enable the online user handshake feature. Use undo dot1x handshake to disable the online user handshake feature. Syntax dot1x handshake undo dot1x handshake default the online user handshake feature is enabled. Views ethernet ...
Page 196
173 views ethernet interface view predefined user roles network-admin usage guidelines this command enables the device to reply to 802.1x clients' eap-response/identity packets with eap-success packets during the online handshake process. As a best practice, use this command only if 802.1x clients w...
Page 197
174 related commands display dot1x dot1x handshake dot1x mandatory-domain use dot1x mandatory-domain to specify a mandatory 802.1x authentication domain on a port. Use undo dot1x mandatory-domain to restore the default. Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain default no...
Page 198
175 default the device allows a maximum of 4294967295 concurrent 802.1x users on a port. Views ethernet interface view predefined user roles network-admin parameters max-number: specifies the maximum number of concurrent 802.1x users on a port. The value range is 1 to 4294967295. Usage guidelines se...
Page 199
176 examples # enable the multicast trigger feature on gigabitethernet 1/0/1. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] dot1x multicast-trigger related commands display dot1x dot1x timer tx-period dot1x unicast-trigger dot1x port-control use dot1x port-cont...
Page 201
178 syntax dot1x quiet-period undo dot1x quiet-period default the quiet timer is disabled. Views system view predefined user roles network-admin usage guidelines when a client fails 802.1x authentication, the device must wait a period of time before it can process authentication requests from the cl...
Page 202
179 examples # enable the 802.1x periodic online user reauthentication feature on gigabitethernet 1/0/1, and set the periodic reauthentication interval to 1800 seconds. System-view [sysname] dot1x timer reauth-period 1800 [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] dot1x...
Page 203
180 syntax dot1x retry retries undo dot1x retry default a maximum of two attempts are made to send an authentication request to a client. Views system view predefined user roles network-admin parameters retries: specifies the maximum number of attempts for sending an authentication request to a clie...
Page 204
181 predefined user roles network-admin usage guidelines the smarton feature and the online user handshake feature are mutually exclusive. When a smarton-enabled port receives an eapol-start packet from an 802.1x client, it sends a unicast eap-request/notification packet to the client. The client wi...
Page 205
182 if you execute this command multiple times, the most recent configuration takes effect. Examples # set the smarton password to abc in plaintext form. System-view [sysname] dot1x smarton password simple abc related commands display dot1x dot1x smarton dot1x smarton switched dot1x smarton retry us...
Page 206
183 dot1x smarton switchid use dot1x smarton switchid to set a smarton switch id. Use undo dot1x smarton switchid to restore the default. Syntax dot1x smarton switchid switch-string undo dot1x smarton switchid default no smarton switch id exists. Views system view predefined user roles network-admin...
Page 207
184 parameters supp-timeout-value: specifies the smarton client timeout timer in seconds. The value range is 10 to 120. Usage guidelines the smarton client timeout timer starts when the device sends an eap-request/notification packet to the client. If the device does not receive any eap-response/not...
Page 208
185 parameters ead-timeout ead-timeout-value: specifies the ead rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440. The following matrix shows the ead-timeout ead-timeout-value option and hardware compatibility: hardware option compatibility msr810/810-w/810-w-db/...
Page 209
186 • quiet timer (quiet-period)—starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client. • periodic reauthentication timer (reauth-period)—sets the interval at which the network device periodically reau...
Page 210
187 examples # enable the unicast trigger feature on gigabitethernet 1/0/1. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] dot1x unicast-trigger related commands display dot1x dot1x multicast-trigger dot1x retry dot1x timer reset dot1x guest-vlan use reset dot1x...
Page 211
188 predefined user roles network-admin parameters ap ap-name: specifies an ap by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).If you do not specify an a...
Page 212
189 mac authentication commands mac authentication commands are supported only on the following ports: • layer 2 ethernet ports on the following modules: hmim-8gsw. Hmim-24gsw. Hmim-24gswp. Sic-4gsw. • fixed layer 2 ethernet ports on the following routers: msr810/810-w/810-w-db/810-lm/810-w-lm/810-l...
Page 213
190 wired devices: display mac-authentication[ interface interface-type interface-number ] views any view predefined user roles network-admin network-operator parameters ap ap-name: specifies an ap by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, ...
Page 214
191 authentication attempts : successful 2, failed 3 current online users : 1 mac address auth state 0001-0000-0000 authenticated 0001-0000-0001 unauthenticated ap name: ap1 radio id: 1 ssid: wlan_maca_ssid bssid : 1111-1111-1111 mac authentication : enabled authentication domain : not configured ma...
Page 215
192 field description online mac-auth wireless users number of wireless online mac authentication users, including users that have passed mac authentication and users that are performing mac authentication. Silent mac users information about silent mac addresses. Mac address silent mac address. Vlan...
Page 217
194 chassis chassis-number slot slot-number: specifies a card on an irf member device. The chassis-number argument represents the member id of the irf member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about...
Page 218
195 # (distributed devices in standalone mode.) display information about all online mac authentication users. Display mac-authentication connection total connections: 1 slot id: 0 user mac address: 0015-e9a6-7cfe access interface: gigabitethernet1/0/1 username: ias authentication domain: h3c initia...
Page 219
196 authorization user profile : n/a termination action : radius-request session timeout period : 2 sec online from : 2014/06/02 13:14:15 online duration : 0h 2m 15s # (distributed devices in irf mode.) display information about all online mac authentication users. Display mac-authentication connect...
Page 220
197 field description authorization acl id/number acl authorized to the user. Authorization user profile user profile authorized to the user. Termination action action attribute assigned by the server when the session timeout timer expires. The following server-assigned action attributes are availab...
Page 221
198 mac-authentication domain use mac-authentication domain to specify a global or port-specific authentication domain. Use undo mac-authentication domain to restore the default. Syntax mac-authenticationdomain domain-name undo mac-authenticationdomain default the system default authentication domai...
Page 222
199 syntax mac-authentication host-mode multi-vlan undo mac-authentication host-mode default mac authentication multi-vlan mode is disabled on a port. When the port receives a packet sourced from an authenticated mac address in a vlan not matching the existing mac-vlan mapping, the device logs off a...
Page 223
200 parameters max-number: specifies the maximum number of concurrent mac authentication users on the port. The value range for this argument is 1 to 4294967295. Usage guidelines set the maximum number of concurrent mac authentication users on a port to prevent the system resources from being overus...
Page 224
201 [sysname-gigabitethernet1/0/1] mac-authentication re-authenticate server-unreachable keep-online related commands display mac-authentication mac-authentication timer use mac-authentication timer to set the mac authentication timers. Use undo mac-authentication timer to restore the defaults. Synt...
Page 225
202 mac-authentication timer auth-delay use mac-authentication timer auth-delay to enable mac authentication delay and set the delay time. Use undo mac-authentication timer auth-delay to restore the default. Syntax mac-authentication timer auth-delay time undo mac-authentication timer auth-delay def...
Page 226
203 undo mac-authentication user-name-format default each user's mac address is used as the username and password for mac authentication. A mac address is in the hexadecimal notation without hyphens, and letters are in lower case. Views system view predefined user roles network-admin parameters fixe...
Page 228: Port Security Commands
205 port security commands this feature is supported only on the following ports: • layer 2 ethernet ports on ethernet switching modules. • fixed layer 2 ethernet ports of the following routers: msr810/810-w/810-w-db/810-lm/810-w-lm/810-lm-hk/810-w-lm-hk/810-10-poe/81 0-lms/810-lus. Msr2600-10-x1. M...
Page 229
206 port security : enabled autolearn aging time : 0 min disableport timeout : 20 s mac move : denied authorization fail : online nas-id profile : not configured dot1x-failure trap : disabled dot1x-logon trap : disabled dot1x-logoff trap : enabled intrusion trap : disabled address-learned trap : ena...
Page 230
207 field description intrusion trap whether snmp notifications for intrusion protection are enabled. If they are enabled, the device sends snmp notifications after illegal packets are detected. Address-learned trap whether snmp notifications for mac address learning are enabled. If they are enabled...
Page 231
208 field description aging type secure mac address aging type: • periodical—timer aging only. • inactivity—inactivity aging feature together with the aging timer. Max secure mac addresses maximum number of secure mac addresses (or online users) that port security allows on the port. Current secure ...
Page 232
209 # (distributed devices in standalone mode/centralized devices in irf mode.) display information about all blocked mac addresses. Display port-security mac-address block mac addr port vlan id --- on slot 0, no mac address found --- mac addr port vlan id 000f-3d80-0d2d ge1/0/1 30 --- on slot 1, 1 ...
Page 233
210 0002-0002-0002 ge1/0/1 1 000d-88f8-0577 ge1/0/1 1 --- 2 mac address(es) found --- # (distributed devices in standalone mode/centralized devices in irf mode.) display information about all blocked mac addresses in vlan 30. Display port-security mac-address block vlan 30 mac addr port vlan id --- ...
Page 234
211 000f-3d80-0d2d ge1/0/1 30 --- on slot 1 in chassis 1, 1 mac address(es) found --- --- 1 mac address(es) found --- # (centralized devices in standalone mode.) display information about all blocked mac addresses of gigabitethernet 1/0/1 in vlan 1. Display port-security mac-address block interface ...
Page 235
212 related commands port-security intrusion-mode display port-security mac-address security use display port-security mac-address security to display information about secure mac addresses. Syntax display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-i...
Page 236
213 display port-security mac-address security interface gigabitethernet 1/0/1 mac addr vlan id state port index aging time 000d-88f8-0577 1 security ge1/0/1 noaged --- 1 mac address(es) found --- # display information about secure mac addresses of gigabitethernet 1/0/1 in vlan 1. Display port-secur...
Page 237
214 usage guidelines after a user passes radius or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a vlan. If you do not want the port to use such authorization attributes for users, use...
Page 238
215 port-security enable use port-security enable to enable port security. Use undo port-security enable to disable port security. Syntax port-security enable undo port-security enable default port security is disabled. Views system view predefined user roles network-admin usage guidelines you must ...
Page 239
216 views layer 2 ethernet interface view predefined user roles network-admin parameters blockmac: adds the source mac addresses of illegal frames to the blocked mac address list and discards frames with blocked source mac addresses. This action implements illegal traffic filtering on the port. A bl...
Page 240
217 syntax port-security mac-address aging-type inactivity undo port-security mac-address aging-type inactivity default the inactivity aging feature is disabled for secure mac addresses. Views layer 2 ethernet interface view predefined user roles network-admin usage guidelines if only the aging time...
Page 241
218 after you execute this command, you cannot manually configure sticky mac addresses, and secure mac addresses learned by a port in autolearn mode are dynamic. All dynamic mac addresses are lost at reboot. Use this command when you want to clear all sticky mac addresses after a device reboot. You ...
Page 242
219 usage guidelines secure mac addresses are mac addresses configured or learned in autolearn mode, and if saved, can survive a device reboot. You can bind a secure mac address only to one port in a vlan. You can add important or frequently used mac addresses as sticky or static secure mac addresse...
Page 243
220 syntax port-security mac-move permit undo port-security mac-move permit default mac move is disabled on the device. Views system view predefined user roles network-admin usage guidelines this command takes effect on both 802.1x and mac authentication users. Mac move allows 802.1x or mac authenti...
Page 244
221 usage guidelines for autolearn mode, this command sets the maximum number of secure mac addresses (both configured and automatically learned) on the port. In any other mode that enables 802.1x, mac authentication, or both, this command sets the maximum number of authenticated mac addresses on th...
Page 245
222 2. The nas-id profile applied globally. If no nas-id profile is applied or no matching binding is found in the selected profile, the device uses the device name as the nas-id. Examples # apply the nas-id profile aaa to gigabitethernet 1/0/1 for port security. System-view [sysname] interface giga...
Page 246
223 msr2600-10-x1. Msr3600-28/3600-51. Msr3600-28-si/3600-51-si. The ntk feature checks the destination mac addresses in outbound frames. This feature allows frames to be sent only to devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # set the ntk...
Page 247
224 system-view [sysname] port-security oui index 4 mac-address 000d-2a10-0033 related commands display port-security port-security port-mode use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default. Syntax port-security port-mode {...
Page 248
225 keyword security mode description mac-else-userlogin-se cure macaddresselseuse rloginsecure this mode is the combination of the macaddresswithradius and userloginsecure modes, with mac authentication having a higher priority. In this mode, the port allows one 802.1x authentication user and multi...
Page 249
226 usage guidelines the userlogin mode is supported on any layer ethernet ports. Other port security modes are supported only on the following ports: • layer 2 ethernet ports on the following modules: hmim-8gsw. Hmim-24gsw. Hmim-24gswp. Sic-4gsw. • fixed layer 2 ethernet ports on the following rout...
Page 250
227 syntax port-security timer autolearn aging time-value undo port-security timer autolearn aging default secure mac addresses do not age out. Views system view predefined user roles network-admin parameters time-value: specifies the aging timer in minutes for secure mac addresses. The value is in ...
Page 251
228 parameters time-value: specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300. Usage guidelines if you configure the intrusion protection action as disabling the port temporarily, use this command to set the silence period. Examples...
Page 252
229 usage guidelines to report critical port security events to an nms, enable snmp notifications for port security. For port security event notifications to be sent correctly, you must also configure snmp on the device. For more information about snmp configuration, see the network management and m...
Page 253: Portal Commands
230 portal commands wlan is not supported on the following routers: • msr810-lms/810-lus. • msr3600-28-si/3600-51-si. • msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc. • msr5620/5560/5680. Commands and descriptions for centralized devices apply to the following routers: • msr810/810-w/810-w-db/810-l...
Page 254
231 usage guidelines if a portal user fails aaa in mac-trigger authentication, the user cannot trigger authentication before the mac-trigger entry of the user ages out. After the mac-trigger entry ages out, the user triggers mac-trigger authentication when it accesses the network. After this feature...
Page 255
232 system-view [sysname] portal mac-trigger-server mts [sysname-portal-mac-trigger-server-mts] aging-time 300 related commands display portal mac-trigger-server app-id use app-id to specify the app id for qq authentication. Use undo app-id to restore the default. Syntax app-id app-id undo app-id de...
Page 257
234 authentication-timeout use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the mac binding query response. Use undo authentication-timeout to restore the default. Syntax authe...
Page 258
235 predefined user roles network-admin parameters url-string: specifies the url of the qq authentication server, a case-sensitive string of 1 to 256 characters. Make sure that you specify the actual url of the qq authentication server. Examples # specify http://oauth.Qq.Com as the url of the qq aut...
Page 260
237 [sysname] portal web-server wbs [sysname-portal-websvr-wbs] captive-bypass android enable related commands display portal web-server display portal captive-bypass statistics cloud-binding enable use cloud-binding enable to enable cloud mac-trigger authentication. Use undo cloud-binding enable to...
Page 261
238 related commands display portal mac-trigger-server cloud-server url use cloud-server url to specify the url of the cloud portal authentication server. Use undo cloud-server url to restore the default. Syntax cloud-server url url-string undo cloud-server url default the url of the cloud portal au...
Page 262
239 [sysname] portal mac-trigger-server mts [sysname-portal-mac-trigger-server-mts] cloud-server url http://lvzhou.H3c.Com related commands display portal mac-trigger-server default-logon-page use default-logon-page to specify the default authentication page file for the local portal web server. Use...
Page 264
241 authentication type: layer3 portal vsrp status: m_delay portal web server: wbs(active) secondary portal web server: wbs sec portal mac-trigger-server: mts authentication domain: my-domain pre-auth domain: abc extend-auth domain: abc user-dhcp-only: enabled pre-auth ip pool: ab max portal users: ...
Page 265
242 destination authentication subnet: ip address prefix length # display portal configuration and portal running state on ap ap1. (wireless application.) display portal ap ap1 portal information of ap1 radio id: 1 ssid: portal authorization : strict checking acl : disable user profile : disable dua...
Page 266
243 # display portal configuration and portal running state on vlan-interface 30. Display portal vlan-interface 30 portal information of vlan-interface30 nas-id profile: not configured authorization : strict checking acl : disable user profile : disable dual stack : disabled dual traffic-separate: d...
Page 267
244 layer3 source network: ip address prefix length destination authentication subnet: ip address prefix length table 20 command output field description portal information of interface portal configuration on the interface. Radio id id of the radio. Ssid service set identifier. Nas-id profile nas-i...
Page 268
245 field description portal vsrp status status of the portal vsrp on the interface: • m_initial—the master device is in initial state. • m_delay—the master device is in delayed state. (the device will switch to the master state after the delay time.) • m_alone—the master device is in standalone sta...
Page 269
246 field description user-dhcp-only status of the user-dhcp-only feature: • enabled: only users with ip addresses obtained through dhcp can perform portal authentication. • disabled: both users with ip addresses obtained through dhcp and users with static ip addresses can pass authentication to get...
Page 270
247 network-operator parameters all: specifies all portal authentication error records. Ipv4 ipv4-address: specifies the ipv4 address of a portal user. Ipv6 ipv6-address: specifies the ipv6 address of a portal user. Start-time start-date start-time end-time end-date end-time: specifies a time range....
Page 271
248 display portal auth-error-record ip 192.168.0.188 user mac : 0016-ecb7-a879 interface : wlan-bss1/0/1 user ip address : 192.168.0.188 ap : ap1 ssid : byod auth error time : 2016-03-04 16:49:07 auth error reason : the maximum number of users already reached. # display portal authentication error ...
Page 272
249 field description auth error reason reason for the authentication error: • the maximum number of users already reached. • failed to obtain user physical information. • failed to receive the packet because packet length is 0. • packet source unknown. Server ip:x.X.X.X, vrf index:0. • packet valid...
Page 273
250 usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/ 810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610...
Page 274
251 display portal auth-fail-record ipv6 2000::2 user name : test@abc user mac : 0016-ecb7-a879 interface : wlan-bss1/0/1 user ip address : 2000::2 ap : ap1 ssid : byod auth failure time : 2016-03-04 16:49:07 auth failure reason : authorization information does not exist. # display portal authentica...
Page 275
252 related commands portal auth-fail-record enable reset portal auth-fail-record display portal captive-bypass statistics use display portal captive-bypass statistics to display packet statistics for portal captive-bypass. Syntax centralized devices in standalone mode: display portal captive-bypass...
Page 276
253 table 23 command output field description user type type of users: • ios. • android. Packets number of portal captive-bypass packets sent to the users. Related commands captive-bypass enable display portal extend-auth-server use display portal extend-auth-server to display information about thir...
Page 277
254 field description redirect url redirection url for qq authentication success. Mail protocol protocols supported by the email authentication service. Mail domain name email domain names supported by the email authentication service. Related commands portal extend-auth-server display portal local-...
Page 279
256 total logout records: 2 user name : test@abc user mac : 0016-ecb7-a879 interface : wlan-bss1/0/1 user ip address : 192.168.0.8 ap : ap1 ssid : byod user login time : 2016-03-04 14:20:19 user logout time : 2016-03-04 14:22:05 logout reason : admin reset user name : coco user mac : 0016-ecb7-a235 ...
Page 280
257 user ip address : 192.168.0.8 ap : ap1 ssid : byod user login time : 2016-03-04 14:20:19 user logout time : 2016-03-04 14:22:05 logout reason : admin reset table 26 command output field description total logout records total number of portal user offline records. User name username of the portal...
Page 281
258 views any view predefined user roles network-admin network-operator parameters all: specifies all mac binding servers. Name server-name: specifies a mac binding server by its name, a case-sensitive string of 1 to 32 characters. Examples # display information about all mac binding servers. Displa...
Page 282
259 cloud server url : not configured aaa-fail nobinding : disabled # display information about the mac binding server ms1. Display portal mac-trigger-server name ms1 portal mac-trigger server: ms1 version : 2.0 server type : cmcc ip : 10.1.1.1 port : 100 vpn instance : vpn1 aging time : 120 seconds...
Page 283
260 field description authentication timeout maximum amount of time that the device waits for portal authentication to complete after receiving the mac binding query response. Excluded attribute list numbers of attributes excluded from portal protocol packets. Local-binding status of local mac-trigg...
Page 284
261 hardware option compatibility msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620 /3620-dp/3640/3660 yes msr5620/5660/5680 yes mac-trigger-server server-name: specifies a mac binding server by its name, a case-sensitive string of 1...
Page 285
262 ack_macbind 1 0 0 ntf_mtuser_logon 1 0 0 ntf_mtuser_logout 0 0 0 req_mtuser_offline 0 0 0 # display packet statistics for the lvzhou cloud authentication server. Display portal packet statistics extend-auth-server cloud extend-auth server: cloud update interval: 60s pkt-type success error timeou...
Page 286
263 field description ntf_logout forced logout notification packet the access device sent to the portal authentication server. Req_info information request packet. Ack_info information acknowledgment packet. Ntf_userdiscover user discovery notification packet the portal authentication server sent to...
Page 287
264 field description timeout number of packets that timed out of establishing a connection to the third-party authentication server. Conn-failure number of packets that failed to establish a connection to the third-party authentication server. Deny number of packets denied access to the third-party...
Page 288
265 field description post_offlineuser cloud user offline packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the lvzhou cloud or wechat authentication server. Report_onlineuser cloud user online packet the ...
Page 289
266 parameters slot slot-number: specifies a card by its slot number. If you do not specify a card, this command displays portal redirect packet statistics for all cards. (distributed devices in standalone mode.) slot slot-number: specifies an irf member device by its member id. If you do not specif...
Page 291
268 examples # (centralized devices in standalone mode.) display all portal filtering rules on gigabitethernet 1/0/1. (wired application). Display portal rule all interface gigabitethernet 1/0/1 ipv4 portal rules on gigabitethernet1/0/1: rule 1 type : static action : permit protocol : any status : a...
Page 292
269 rule 4: type : static action : deny status : active source: ip : 0.0.0.0 mask : 0.0.0.0 interface : gigabitethernet1/0/1 vlan : any destination: ip : 0.0.0.0 mask : 0.0.0.0 ipv6 portal rules on gigabitethernet1/0/1: rule 1 type : static action : permit protocol : any status : active source: ip :...
Page 293
270 source: ip : :: prefix length : 0 interface : gigabitethernet1/0/1 vlan : any protocol : tcp destination: ip : :: prefix length : 0 port : 80 rule 4: type : static action : deny status : active source: ip : :: prefix length : 0 interface : gigabitethernet1/0/1 vlan : any destination: ip : :: pre...
Page 294
271 mac : 0000-0000-0000 interface : wlan-bss1/0/1 vlan : any destination: ip : 192.168.0.111 mask : 255.255.255.255 port : any rule 2 type : dynamic action : permit status : active source: ip : 2.2.2.2 mac : 000d-88f8-0eab interface : wlan-bss1/0/1 vlan : 2 author acl: number : n/a rule 3 type : st...
Page 295
272 # (distributed devices in standalone mode/centralized in irf mode.) display all portal filtering rules on gigabitethernet 1/0/1 for the specified slot. (wired application.) display portal rule all interface gigabitethernet 1/0/1 slot 1 slot 1: ipv4 portal rules on gigabitethernet1/0/1: rule 1 ty...
Page 296
273 rule 4: type : static action : deny status : active source: ip : 0.0.0.0 mask : 0.0.0.0 interface : gigabitethernet1/0/1 vlan : any destination: ip : 0.0.0.0 mask : 0.0.0.0 ipv6 portal rules on gigabitethernet1/0/1: rule 1 type : static action : permit protocol : any status : active source: ip :...
Page 297
274 ip : :: prefix length : 0 interface : gigabitethernet1/0/1 vlan : any protocol : tcp destination: ip : :: prefix length : 0 port : 80 rule 4: type : static action : deny status : active source: ip : :: prefix length : 0 interface : gigabitethernet1/0/1 vlan : any destination: ip : :: prefix leng...
Page 298
275 interface : wlan-bss1/0/1 vlan : any destination: ip : 192.168.0.111 mask : 255.255.255.255 port : any rule 2 type : dynamic action : permit status : active source: ip : 2.2.2.2 mask : 255.255.255.255 mac : 000d-88f8-0eab interface : wlan-bss1/0/1 vlan : 2 author acl: number : n/a rule 3 type : ...
Page 299
276 table 30 command output field description radio id id of the radio. Ssid service set identifier. Rule number of the portal rule. Ipv4 portal filtering rules and ipv6 portal filtering rules are numbered separately. Type type of the portal rule: • static—static portal rule. • dynamic—dynamic porta...
Page 300
277 display portal safe-redirect statistics use display portal safe-redirect statistics to display portal safe-redirect packet statistics. Syntax centralized devices in standalone mode: display portal safe-redirect statistics distributed devices in standalone mode/centralized devices in irf mode: di...
Page 301
278 forbidden filename extension statistics: .Jpg: 0 # (distributed devices in standalone mode/centralized devices in irf mode.) display portal safe-redirect packet statistics on the specified slot. Display portal safe-redirect statistics slot 1 slot 1: redirect statistics: success: 7 failure: 8 tot...
Page 302
279 table 31 command output field description success number of packets redirected successfully. Failure number of packets failed redirection. Total total number of packets. Method statistics statistics of http request methods. Get number of packets with the get request method. Post number of packet...
Page 303
280 server detection : timeout 60s action: log user synchronization : timeout 200s status : up exclude-attribute : not configured logout notification : retry 3 interval 5s table 32 command output field description type portal authentication server type: • cmcc—cmcc server. • imc—imc server. Portal s...
Page 304
281 views any view predefined user roles network-admin network-operator parameters all: displays information about all portal users. Ap ap-name: specifies an ap by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), rig...
Page 305
282 hardware option compatibility msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620-dp/3640/3660 yes msr5620/5660/5680 yes interface interface-type interface-number: displays information about portal users on the sp...
Page 306
283 authentication. If you do not specify the pre-auth keyword, this command displays information about authenticated portal users. Brief: displays brief information about portal users. Verbose: displays detailed information about portal users. Usage guidelines if you specify neither the brief nor t...
Page 307
284 user profile: abc (active) session group profile: cd (inactive) acl number: n/a inbound car: n/a outbound car: n/a # display information about the portal user whose mac address is 000d-88f8-0eab. (wired application.) display portal user mac 000d-88f8-0eab username: abc portal server: pts state: ...
Page 308
285 field description total qq users total number of portal users whose authentication type is qq authentication. Total wechat users total number of portal users whose authentication type is wechat authentication. Username name of the user. Portal server name of the portal authentication server. Sta...
Page 309
286 current ip address: 50.50.50.3 original ip address: 30.30.30.2 username: user1@hrss user id: 0x28000002 access interface: eth3/2/2 service-vlan/customer-vlan: -/- mac address: 0000-0000-0001 authentication type: normal domain: hrss vpn instance: 123 status: online portal server: test vendor: app...
Page 310
287 field description service-vlan/customer-vlan public vlan/private vlan to which the portal user belongs. If no vlan is configured for the portal user, this field displays -/-. Mac address mac address of the portal user. Authentication type type of portal authentication: • normal—normal authentica...
Page 311
288 field description outbound car authorized outbound car: • cir—committed information rate in bps. • pir—peak information rate in bps. If no outbound car is authorized, this field displays n/a. Acl number authorized acl: • n/a—the aaa server authorizes no acl. • active—the aaa server has authorize...
Page 312
289 radio id: 1 ssid: portal portal server: pts state: online vpn instance: vpn1 mac ip vlan interface 000d-88f8-0eac 4.4.4.4 2 bss1/2 authorization information: dhcp ip pool: n/a user profile: n/a acl number: 3000 inbound car: cir 3072 bps pir 3072 bps outbound car: cir 3072 bps pir 3072 bps # disp...
Page 313
290 portal server: pts state: online vpn instance: n/a mac ip vlan interface 000d-88f8-0eab 2.2.2.2 2 wlan-bss1/0/1 authorization information: dhcp ip pool: n/a user profile: abc (active) session group profile: cd (inactive) acl number: n/a inbound car: n/a outbound car: n/a table 36 command output ...
Page 314
291 field description dhcp ip pool name of the authorized ip address pool. If no ip address pool is authorized for the portal user, this field displays n/a. User profile authorized user profile: • n/a—the aaa server authorizes no user profile. • active—the aaa server has authorized the user profile ...
Page 315
292 login time: 2014-12-25 10:47:53 utc dhcp ip pool: n/a acl&qos&multicast: inbound car: n/a outbound car: n/a acl number: n/a user profile: n/a max multicast addresses: 4 traffic statistic: uplink packets/bytes: 6/412 downlink packets/bytes: 0/0 dual-stack traffic statistics: ipv4 address: 18.18.0...
Page 316
293 field description status status of the portal user: • authenticating—the user is being authenticated. • authorizing—the user is being authorized. • waiting setrule—deploying portal rules to the user. • online—the user is online. • waiting traffic—waiting for traffic from the user. • stop account...
Page 317
294 field description user profile authorized user profile: • n/a—the aaa server authorizes no user profile. • active—the aaa server has authorized the user profile successfully. • inactive—the aaa server failed to authorize the user profile or the user profile does not exist on the device. Max mult...
Page 318
295 examples # display the number of portal users. Display portal user count total number of users: 1 related commands portal enable portal delete-user display portal web-server use display portal web-server to display information about portal web servers. Syntax display portal web-server [ server-n...
Page 319
296 table 39 command output field description type portal web server type: • cmcc—cmcc server. • imc—imc server. Portal web server name of the portal web server. Url url of the portal web server. Url parameters url parameters for the portal web server. Vpn instance name of the mpls l3vpn where the p...
Page 320
297 views any view predefined user roles network-admin network-operator parameters ap ap-name: specifies an ap by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-)....
Page 321
298 vlan : any rule 2: type : static action : redirect status : active source: vlan : any protocol : tcp destination: port : 80 ipv6 web-redirect rules on gigabitethernet1/0/1: rule 1: type : static action : redirect status : active source: vlan : any protocol : tcp destination: port : 80 # display ...
Page 322
299 field description type type of the web redirect rule: • static—static web redirect rule, generated when the web redirect feature takes effect. • dynamic—dynamic web redirect rule, generated when a user visits a redirect webpage. Action action in the web redirect rule: • permit—allows packets to ...
Page 323
300 to address this issue, you can configure this command to exclude the unsupported attributes from portal protocol packets sent to the portal authentication server. You can specify multiple excluded attributes. Table 41 describes all attributes of the portal protocol. Table 41 portal attributes na...
Page 324
301 [sysname-portal-mac-trigger-server-123] exclude-attribute 10 exclude-attribute (portal authentication server view) use exclude-attribute to exclude an attribute from portal protocol packets. Use undo exclude-attribute to not exclude an attribute from portal protocol packets. Syntax exclude-attri...
Page 325
302 name number description uplinkflux 6 uplink (output) traffic of the user, an 8-byte unsigned integer, in kb. Downlinkflux 7 downlink (input) traffic of the user, an 8-byte unsigned integer, in kb. Port 8 a string excluding the end character '\0'. Ip-config 9 this attribute has different meanings...
Page 326
303 views mac binding server view predefined user roles network-admin parameters value: specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers mac-based quick portal authentication for a user once the user'...
Page 327
304 predefined user roles network-admin parameters original-url url-string: specifies a url string to match the url in http or https requests of a portal user. The specified url must be a complete url starting with http:// or https://, a case-sensitive string of 1 to 256 characters. Redirect-url url...
Page 328
305 system-view [sysname] portal web-server wbs [sysname-portal-websvr-wbs] if-match original-url http://www.Abc.Com.Cn redirect-url http://192.168.0.1 # configure a match rule to redirect http requests that carry the user agent string 5.0(windowsnt6.1)applewebkit/537.36(khtml,likegecko)chrome/36.0....
Page 329
306 usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/ 810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610...
Page 330
307 system-view [sysname] portal web-server wbs [sysname-portal-websvr-wbs] if-match original-url http://www.123.Com.Cn user-agent 5.0(windowsnt6.1)applewebkit/537.36(khtml,likegecko)chrome/36.0.1985.125safari/537.36 temp-pass redirect-url http://192.168.0.1 related commands display portal web-serve...
Page 331
308 examples # specify the ip address of the mac binding server as 192.168.0.111 and the plaintext key as portal. System-view [sysname] portal mac-trigger-server mts [sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal related commands display portal mac-trigger-server ip (port...
Page 332
309 system-view [sysname] portal server pts [sysname-portal-server-pts] ip 192.168.0.111 key simple portal related commands display portal server portal server ipv6 use ipv6 to specify the ip address of an ipv6 portal authentication server. Use undo ipv6 to restore the default. Syntax ipv6 ipv6-addr...
Page 333
310 [sysname] portal server pts [sysname-portal-server-pts] ipv6 2000::1 key simple portal related commands display portal server portal server local-binding aging-time use local-binding aging-time to set the aging time for local mac-account binding entries. Use undo local-binding aging-time to rest...
Page 334
311 undo local-binding enable default local mac-trigger authentication is disabled. Views mac binding server view predefined user roles network-admin usage guidelines this feature enables the device to act as a local mac binding server to provide local mac-trigger authentication for local portal use...
Page 335
312 device-type: specifies an endpoint type. Computer: specifies the endpoint type as computer. Pad: specifies the endpoint type as tablet. Phone: specifies the endpoint type as mobile phone. Device-name device-name: specify an endpoint by its name, a case-sensitive string of 1 to 127 characters. Th...
Page 336
313 related commands default-logon-page portal local-web-server logout-notify use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet. Use undo logout-notify to restore the default. Syntax logout-notify retry retries interval interval und...
Page 337
314 examples # set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds. System-view [sysname] portal server pt [sysname-portal-server-pt] logout-notify retry 3 interval 5 related commands display portal server mail-domain-name use mail...
Page 339
316 usage guidelines some mac binding servers identify mac-based quick portal authentication by a specific nas-port-type value in received radius requests. To communicate with such a mac binding server, you must configure the device to use the nas-port-type value required by the mac binding server. ...
Page 340
317 port (portal authentication server view) use port to set the destination udp port number used by the device to send unsolicited portal packets to the portal authentication server. Use undo port to restore the default. Syntax port port-number undo port default the device uses 50100 as the destina...
Page 341
318 notification packet sent to the portal authentication server is the ipv6 address of the packet's output interface. Views interface view service template view predefined user roles network-admin parameters bas-ip ipv4-address: specifies bas-ip for portal packets sent to the portal authentication ...
Page 343
320 default no mac binding server is specified. Views interface view service template view predefined user roles network-admin parameters server-name: specifies a mac binding server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines only direct portal authentication support...
Page 344
321 parameters ipv6: specifies an ipv6 portal web server. If the server is an ipv4 portal web server, do not specify this keyword. Secondary: specifies the backup portal web server. If you do not specify this keyword, the specified server is the primary portal web server. Server-name: specifies a po...
Page 345
322 views system view predefined user roles network-admin usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/ 810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr36...
Page 346
323 2100. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59. Usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe...
Page 347
324 portal auth-error-record enable reset portal auth-error-record portal auth-error-record max use portal auth-error-record max to set the maximum number of portal authentication error records. Use undo portal auth-error-record max to restore the default. Syntax portal auth-error-record max number ...
Page 348
325 portal auth-fail-record enable use portal auth-fail-record enable to enable portal authentication failure recording. Use undo portal auth-fail-record enable to disable portal authentication failure recording. Syntax portal auth-fail-record enable undo portal auth-fail-record enable default porta...
Page 349
326 views system view predefined user roles network-admin parameters url url-string: specifies the url to which portal authentication failure records are exported. The url is a case-insensitive string of 1 to 255 characters. Start-time start-date start-time end-time end-date end-time: specifies a ti...
Page 350
327 examples # export all portal authentication failure records to path tftp://1.1.1.1/record/authfail/. System-view [sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/ # export portal authentication failure records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to ...
Page 351
328 hardware command compatibility msr 3610/3620/3620-dp/3640/3660 yes msr5620/5660/5680 yes when the maximum number of portal authentication failure records is reached, the new record overwrites the oldest one. Examples # set the maximum number of portal authentication failure records to 50. System...
Page 352
329 [sysname–gigabitethernet1/0/1] portal authorization acl strict-checking # enable strict checking on authorized acls on service template service1. (wireless application.) system-view [sysname] wlan service-template service1 [sysname-wlan-st-service1] portal authorization acl strict-checking relat...
Page 353
330 portal client-gateway interface use portal client-gateway interface to specify the ac’s interface for portal clients to access during third-party authentication. Use undo portal client-gateway interface to restore the default. Syntax portal client-gateway interface interface-type interface-numbe...
Page 354
331 usage guidelines before you execute this command, make sure the client traffic forwarding location is at aps. Examples # set the interval at which an ap reports traffic statistic to the device to 120 seconds. System-view [sysname] portal client-traffic-report interval 120 related commands client...
Page 355
332 hardware option compatibility msr5620/5660/5680 yes interface interface-type interface-number: specifies an interface by its type and number. If you specify this option, this command logs out all ipv4 and ipv6 online portal users on the interface. Ipv6 ipv6-address: specifies the ip address of a...
Page 356
333 system-view [sysname] portal delete-user auth-type email # log out the portal user whose username is abc. System-view [sysname] portal delete-user username abc related commands display portal user portal device-id use portal device-id to specify the device id. Use undo portal device-id to restor...
Page 357
334 default no portal authentication domain is configured on an interface or a service template. Views interface view service template view predefined user roles network-admin parameters ipv6: specifies an authentication domain for ipv6 portal users. Do not specify this keyword for ipv4 portal users...
Page 358
335 predefined user roles network-admin usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/ 810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes ...
Page 359
336 views interface view service template view predefined user roles network-admin usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/ 810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-...
Page 361
338 related commands display portal portal extend-auth domain use portal extend-auth domain to specify the authentication domain for third-party authentication. Use undo portal extend-auth domain to remove the authentication domain for third-party authentication. Syntax portal extend-auth domain dom...
Page 363
340 views interface view predefined user roles network-admin parameters ipv6: specifies an ipv6 portal authentication server. Do not specify this keyword for an ipv4 portal authentication server. Server-name: specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 ch...
Page 364
341 predefined user roles network-admin parameters ipv6: specifies ipv6 portal web servers. To specify ipv4 portal web servers, do not specify this keyword. Usage guidelines the following matrix shows the support of the msr routers for this command in different views: hardware interface view service...
Page 367
344 • specify the source ip address as 10.10.10.1/24, the destination ip address as 20.20.20.1, and the destination tcp port number as 23. • specify the interface where the rule is applied as gigabitethernet 1/0/1. System-view [sysname] portal free-rule 1 destination ip 20.20.20.1 32 tcp 23 source i...
Page 369
346 portal free-rule source use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source mac address, source interface, and source vlan. Use undo portal free-rule to delete a specific or all portal-free rules. Syntax portal free-rule rule-number sou...
Page 370
347 all: specifies all portal-free rules. Usage guidelines if you specify both the source vlan and the source layer 2 interface, the interface must be in the vlan. When you specify an object group in a source-based portal-free rule, make sure the specified object rule already exists. You can specify...
Page 371
348 hardware command compatibility msr3600-28-si/3600-51-si no msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-d p-dc no msr 3610/3620/3620-dp/3640/3660 yes msr5620/5660/5680 no by default, the device checks wireless portal client validity according to arp entries only. In wireless networks where the ap fo...
Page 372
349 usage guidelines portal users on the interface are authenticated when accessing the specified authentication destination subnet (except ip addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication. You can configure multiple authentic...
Page 373
350 if you do not specify the ipv6-network-address argument in the undo portal ipv6 layer3 source command, this command deletes all ipv6 portal authentication source subnets on the interface. Only cross-subnet authentication supports authentication source subnets. If you configure both an authentica...
Page 374
351 if the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires. If the device receives no reply after the maxi...
Page 375
352 mask: specifies the subnet mask in dotted decimal format. Usage guidelines with ipv4 authentication source subnets configured, only packets from ipv4 users on the authentication source subnets can trigger portal authentication. If an unauthenticated ipv4 user is not on any authentication source ...
Page 376
353 usage guidelines after a local portal web server is configured on the access device, the access device also acts as the portal web server and the portal authentication server. No external portal web server and portal authentication server are needed. For an interface to use the local portal web ...
Page 377
354 predefined user roles network-admin usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/ 810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes ...
Page 378
355 usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/ 810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610...
Page 379
356 reset portal logout-record portal logout-record max use portal logout-record max to set the maximum number of portal user offline records. Use undo portal logout-record max to restore the default. Syntax portal logout-record max number undo portal logout-record max default the maximum number of ...
Page 380
357 portal mac-trigger-server use portal mac-trigger-server to create a mac binding server and enter its view, or enter the view of an existing mac binding server. Use undo portal mac-trigger-server to delete the mac binding server. Syntax portal mac-trigger-server server-name undo portal mac-trigge...
Page 381
358 parameters max-number: specifies the maximum number of total portal users in the system. The value range for this argument is 1 to 4294967295. Usage guidelines if you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes...
Page 382
359 examples # specify the nas-id profile aaa for gigabitethernet 1/0/1. System-view [sysname] interface gigabitethernet 1/0/1 [sysname–gigabitethernet1/0/1] portal nas-id-profile aaa related commands aaa nas-id profile portal nas-port-id format use portal nas-port-id format to specify the nas-port-...
Page 383
360 field description nas_subslot subslot number of the bras, in the range of 0 to 31. Nas_port port number of the bras, in the range of 0 to 63. Xpi.Xci for atm interfaces: • xpi is vpi in the range of 0 to 255. • xci is vci in the range of 0 to 65535. For ethernet interfaces or ethernet trunk inte...
Page 384
361 nas-port-id description atm 31/31/7:255.65535 0/0/0/0/0/0 the subscriber interface type is an atm interface. The slot number is 31, the bras subslot number is 31, the bras port number is 7, the vpi is 255, and the vci is 65535. Eth 31/31/7:1234.2345 0/0/0/0/0/0 the subscriber interface type is a...
Page 385
362 default the nas-port-type value carried in radius requests is the user's access interface type value obtained by the access device. Views interface view service template view predefined user roles network-admin parameters ethernet: specifies the nas-port-type attribute value as ethernet (number ...
Page 386
363 related commands display portal interface portal outbound-filter enable use portal [ ipv6 ] outbound-filter enable to enable outgoing packets filtering on a portal-enabled interface. Use undo portal [ ipv6 ] outbound-filter enable to disable outgoing packets filtering on a portal-enabled interfa...
Page 387
364 views interface view predefined user roles network-admin parameters ipv6: specifies ipv6 portal users. Do not specify this keyword for ipv4 portal users. Domain-name: specifies an existing isp domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the fol...
Page 388
365 system-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] portal pre-auth domain abc related commands display portal portal packet log enable use portal packet log enable to enable logging for portal protocol packets. Use undo portal packet log enable to disable loggin...
Page 389
366 views interface view predefined user roles network-admin parameters ipv6: specifies ipv6 portal users. Do not specify this keyword for ipv4 portal users. Pool-name: specifies an ip address pool by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines you must use this comma...
Page 390
367 usage guidelines this feature logs information about portal redirect packets, including the user ip address, mac address, ssid, bas ip, and web server ip address. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information abou...
Page 391
368 [sysname] undo portal refresh arp enable portal roaming enable use portal roaming enable to enable portal roaming. Use undo portal roaming enable to disable portal roaming. Syntax portal roaming enable undo portal roaming enable default portal roaming is disabled. An online portal user cannot ro...
Page 392
369 usage guidelines portal redirects all http requests except http requests that match portal-free rules to the portal web server, which might overload the server. Portal safe-redirect filters http requests by http request method, browser type (in http user agent), and destination url, and redirect...
Page 393
370 related commands display portal safe-redirect statistics portal safe-redirect enable portal safe-redirect forbidden-url use portal safe-redirect forbidden-url to configure a url forbidden by portal safe-redirect. Use undo portal safe-redirect forbidden-url to delete a portal safe-redirect forbid...
Page 394
371 default after portal safe-redirect is enabled, the device redirects only http requests with the get method. Views system view predefined user roles network-admin parameters get: specifies the get request method. Post: specifies the post request method. Usage guidelines after you specify http req...
Page 395
372 table 46 browser types supported by portal safe-redirect browser type description safari apple browser chrome google browser firefox firefox browser uc uc browser qqbrowser qq browser lbbrowser cheetah browser taobrowser taobao browser maxthon maxthon browser bidubrowser baidu browser msie 10.0 ...
Page 396
373 views system view predefined user roles network-admin parameters server-name: specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines in portal authentication server view, you can configure the following parameters and features for th...
Page 397
374 usage guidelines typically, a portal user cannot access the network before passing portal authentication. This feature allows a user to access the internet temporarily if the user uses a wechat account to perform portal authentication. During the temporary pass period, the user provides wechat a...
Page 399
376 examples # enable online detection of ipv4 portal users on gigabitethernet 1/0/1. Configure the detection type as icmp, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds. System-view [sysname] interface gigabitethernet 1...
Page 400
377 [sysname-wlan-st-service1] portal user-dhcp-only related commands display portal portal user-logoff after-client-offline enable use portal user-logoff after-client-offline enable to enable automatic logout for wireless portal users. Use undo portal user-logoff after-client-offline enable to disa...
Page 401
378 portal user log enable use portal user log enable to enable logging for portal user logins and logouts. Use undo portal user log enable to disable logging for portal user logins and logouts. Syntax portal user log enable undo portal user log enable default portal user login and logout logging is...
Page 402
379 parameters server-name: specifies a portal web server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines the portal web server pushes portal authentication pages to portal users during authentication. The access device redirects http requests of unauthenticated portal u...
Page 403
380 [sysname-portal-extend-auth-server-qq] redirect-url http://www.Abc.Com/portal/qqlogin.Html related commands display portal extend-auth-server reset portal auth-error-record use reset portal auth-error-record to clear portal authentication error records. Syntax reset portal auth-error-record { al...
Page 404
381 # clear portal authentication error records for the portal user whose ipv6 address is 2000::2. Reset portal auth-error-record ipv6 2000::2 # clear portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 16:23. Reset portal auth-error-record start-time 2...
Page 405
382 examples # clear all portal authentication failure records. Reset portal auth-fail-record all # clear portal authentication failure records for the portal user whose ipv4 address is 11.1.0.1. Reset portal auth-fail-record ipv4 11.1.0.1 # clear portal authentication failure records for the portal...
Page 406
383 # (distributed devices in standalone mode/centralized devices in irf mode.) clear portal captive-bypass packet statistics on the specified slot. Reset portal captive-bypass statistics slot 0 related commands display portal captive-bypass statistics reset portal logout-record use reset portal log...
Page 407
384 # clear offline records for the portal user whose ipv4 address is 11.1.0.1. Reset portal logout-record ipv4 11.1.0.1 # clear offline records for the portal user whose ipv6 address is 2000::2. Reset portal logout-record ipv6 2000::2 # clear offline records for the portal user whose username is ab...
Page 408
385 related commands display portal packet statistics reset portal redirect statistics use reset portal redirect statistics to reset portal redirect packet statistics. Syntax centralized devices in standalone mode: reset portal redirect statistics distributed devices in standalone mode/centralized i...
Page 409
386 reset portal safe-redirect statistics [ slot slot-number ] distributed devices in irf mode: reset portal safe-redirect statistics [ chassis chassis-number slot slot-number ] views user view predefined user roles network-admin parameters slot slot-number: specifies a card by its slot number. If y...
Page 410
387 log: enables the device to send a log message when it detects a reachability status change of the portal authentication server. The log message contains the name, the original state, and the current state of the portal authentication server. Usage guidelines the portal authentication server dete...
Page 411
388 log: enables the device to send a log message when it detects a reachability status change of the portal web server. The log message contains the name, the original state, and the current state of the portal web server. Usage guidelines the access device performs server detection independently. ...
Page 412
389 receives the register packet, it records register information for the access device, including the device name, and the ip address and port number after nat. The register information is used for subsequent authentication information exchanges between the server and the access device. The access ...
Page 413
390 undo server-type default the type of the portal authentication server and portal web server is imc. Views portal authentication server view portal web server view predefined user roles network-admin parameters cmcc: specifies the portal server type as cmcc. Imc: specifies the portal server type ...
Page 414
391 parameters port-number: specifies the listening tcp port number in the range of 1 to 65535. Usage guidelines to use the local portal web server, make sure the port number in the portal web server url and the port number configured in this command are the same. For successful local portal authent...
Page 415
392 system-view [sysname] portal web-server wbs [sysname-portal-websvr-wbs] url http://www.Test.Com/portal related commands display portal web-server url-parameter use url-parameter to configure the parameters carried in the url of a portal web server. The access device redirects a portal user by se...
Page 416
393 hardware option compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-po e/810-lm-hk/810-w-lm-hk/810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620-dp/3640/3660 yes msr56...
Page 417
394 if you specify the encryption algorithm for a parameter, the redirection url carries the encrypted value for the parameter. Execute the url-parameter usermac source-mac encryption des key simple 12345678 command. Then the access device sends to the user with mac address 1111-1111-1111 the url ht...
Page 418
395 examples # in local portal web server view, enable local portal user password modification. System-view [sysname] portal local-web-server http [sysname-portal-local-websvr-http] user-password modify enable related commands portal local-web-server user-sync use user-sync to enable portal user syn...
Page 419
396 examples # enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a use has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user. System-view...
Page 420
397 syntax vpn-instance vpn-instance-name undo vpn-instance default a portal web server belongs to the public network. Views portal web server view predefined user roles network-admin parameters vpn-instance-name: specifies the mpls l3vpn instance to which the portal web server belongs. The vpn-inst...
Page 421
398 • the tracked interface receives 2g signal or no signal. In the current software version, this feature can track signal information only for etherchannel interfaces. This feature applies only to ipv4 users. This feature requires that the webpage to which the redirect url points must be configure...
Page 422
399 • userip=%c—ip address of the user. • usermac=%m—mac address of the user. • nasid=%n—nas identifier of the device. • ssid=%e—ssid with which the user associates. • originalurl=%o—original url that the user enters in the browser. Make sure the arrangement of the parameters conforms to the format ...
Page 423: User Profile Commands
400 user profile commands the following matrix shows the feature and hardware compatibility: hardware user profile compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/8 10-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-...
Page 424
401 views any view predefined user roles network-admin network-operator parameters name profile-name: specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters include english letters, digits, and underscores (_). The name must start with an english letter...
Page 425
402 # (distributed device in standalone mode.) display configuration and online user information for all user profiles in slot 2. Display user-profile slot 2 user-profile: aaa inbound: cir 32 (kbps), cbs 2048 (bytes), ebs 0 (bytes), pir 888 (kbps) policy: p1 outbound: cir 32 (kbps), cbs 2048 (bytes)...
Page 426
403 user user_1: authentication type: 802.1x network attributes: interface : gigabitethernet1/2/0/1 mac address : 0000-1111-2222 failed action list: inbound: policy p1 inbound: cir 32 (kbps), cbs 2048 (bytes), ebs 0 (bytes), pir 888 (kbps) user user_2: authentication type: portal network attributes:...
Page 427
404 chassis 1 slot 2: user user_1: authentication type: 802.1x network attributes: interface : gigabitethernet1/2/0/1 mac address : 0000-1111-2222 failed action list: inbound: policy p1 chassis 1 slot 5: user user_6: authentication type: ppp network attributes: interface : gigabitethernet1/2/0/3 use...
Page 428
405 field description authentication type authentication type: • 802.1x—802.1x authentication. • portal—portal authentication. • ppp—ppp authentication. • maca—mac authentication. Network attributes online user information. Failed action list actions that failed to be applied to the user. User-profi...
Page 429: Password Control Commands
406 password control commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. Ipv6-related parameters...
Page 430
407 password length: enabled (10 characters) password composition: enabled (1 types, 1 characters per type) table 48 command output field description password control whether the password control feature is enabled. Password aging whether password expiration is enabled and, if enabled, the expiratio...
Page 431
408 ipv6 ipv6-address: specifies the ipv6 address of a user. Usage guidelines if you do not specify any parameters, this command displays information about all users in the password control blacklist. The users' ip addresses and user accounts are added to the password control blacklist when the user...
Page 432
409 predefined user roles network-admin parameters aging: enables the password expiration feature. Composition: enables the password composition restriction feature. History: enables the password history feature. Length: enables the minimum password length restriction feature. Usage guidelines for a...
Page 433
410 default a password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs. Views system view user group view local user view predefined user roles ...
Page 434
411 password-control alert-before-expire use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-con...
Page 435
412 user group view local user view predefined user roles network-admin parameters same-character: refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. User-name: refuses a password that contains the userna...
Page 436
413 in fips mode: the password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type. In both non-fips and fips modes: the password composition policy for a user group is the same as the global policy. The password composition...
Page 437
414 type-length type-length: specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63 in non-fips mode, and 1 to 15 in fips mode. Usage guidelines the password composition policy depends on the view: • the policy in s...
Page 438
415 the password control feature is disabled globally. In fips mode: the password control feature is enabled globally and cannot be disabled. Views system view predefined user roles network-admin usage guidelines a specific password control feature takes effect only after the global password control...
Page 439
416 usage guidelines this command is effective only on non-ftp login users. An ftp user cannot continue to log in after its password expires. Examples # allow a user to log in five times within 60 days after the password expires. System-view [sysname] password-control expired-user-login delay 60 tim...
Page 440
417 password-control history enable reset password-control blacklist password-control length use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length default in non-fips...
Page 441
418 # set the minimum password length to 16 characters for the user group test. [sysname] user-group test [sysname-ugroup-test] password-control length 16 [sysname-ugroup-test] quit # set the minimum password length to 16 characters for the device management user abc. [sysname] local-user abc class ...
Page 442
419 password-control login-attempt use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached. Use undo password-control login-attempt to restore the defa...
Page 443
420 whether a blacklisted user and user account are locked depends on the locking setting: • if a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-con...
Page 444
421 related commands display local-user display password-control display password-control blacklist display user-group reset password-control blacklist password-control super aging use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging ...
Page 445
422 a super password must contain a minimum of one character type and a minimum of one character for each type. In fips mode: a super password must contain a minimum of four character types and a minimum of one character for each type. Views system view predefined user roles network-admin parameters...
Page 446
423 predefined user roles network-admin parameters length: specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-fips mode, and 15 to 63 in fips mode. Examples # set the minimum length of super passwords to 16 characters. System-view [sysn...
Page 447
424 reset password-control blacklist use reset password-control blacklist to remove blacklisted users. Syntax reset password-control blacklist [ user-name user-name ] views user view predefined user roles network-admin parameters user-name user-name: specifies the username of a user account to be re...
Page 448
425 reset password-control history-record are you sure to delete all local user's history records? [y/n]:y related commands password-control history.
Page 450
427 [sysname] keychain abc mode absolute [sysname-keychain-abc] key 1 [sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21 authentication-algorithm use authentication-algorithm to specify an authentication algorithm for a key. Use undo authentication-algorithm to resto...
Page 451
428 parameters name keychain-name: specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. If you do not specify a keychain, this command displays information about all keychains. Key key-id: specifies a key by its id in the range of 0 to 281474976710655. If you do not speci...
Page 452
429 field description algorithm authentication algorithm for the key: hmac-md5 or md5. Send lifetime sending lifetime for the key. Send status status of the send key: active or inactive. Accept lifetime receiving lifetime for the key. Accept status status of the accept key: active or inactive. Key u...
Page 453
430 views system view predefined user roles network-admin parameters keychain-name: specifies a keychain name, a case-sensitive string of 1 to 63 characters. Mode: specifies a time mode. Absolute: specifies the absolute time mode. In this mode, each time point during a key's lifetime is the utc time...
Page 454
431 examples # set the key to 123456 in plaintext form for key 1. System-view [sysname] keychain abc mode absolute [sysname-keychain-abc] key 1 [sysname-keychain-abc-key-1] key-string plain 123456 send-lifetime utc use send-lifetime utc to set the sending lifetime for a key of a keychain in absolute...
Page 455
432 [sysname-keychain-abc] key 1 [sysname-keychain-abc-key-1] send-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21.
Page 456
433 public key management commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. Display public-key...
Page 457
434 key code: 307c300d06092a864886f70d0101010500036b003068026100cab4cacca16442ad5f453442 762f03897e0d494fede69224f5c051a441d290976733a278c9f0c0f5a198e66143eab54a64 db608269cae844b1e7cc64ad7e808972e7cf887f3b657f056e7930fc84fbf1ad83a01cc47e 9d85c13413996ecd093b0203010001 ==============================...
Page 458
435 585da7f42519718cc9b09eef0381850002818100a1e456c8da2ad1bb83b1bdf2a1a6b5a6e8 3642b460402445da7e4036715f468f76655e114d460b7112f57143ee020aef4a5bfad07b74 0fbcb1c64da8a2bce619283421445eec77d3cf0d11866e9656ad6511f4926f8376967b0ab7 15f9fb7b514bc1174155dd6e073b1fcb3a2749e6c5fea81003e16729497d0ead9105e3e...
Page 459
436 7811c7da33021500c773218c737ec8ee993b4f2ded30f48edace915f0281810082269009e1 4ec474baf2932e69d3b1f18517ad9594184ccdfceae96ec4d5ef93133e84b47093c52b20cd 35d02492b3959ec6499625bc4fa5082e22c5b374e16dd00132ce71b020217091ac717b6123 91c76c1fb2e88317c1bd8171d41ecb83e210c03cc9b32e810561c21621c73d6daac028f...
Page 460
437 predefined user roles network-admin network-operator parameters brief: displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name. Name publickey-name: displays detailed information about a peer host public key, includi...
Page 461
438 field description modulus key modulus length in bits. Name name of the peer host public key. Related commands public-key peer public-key peerimport sshkey peer-public-key end use peer-public-key end to exit public key view to system view and save the configured peer host public key. Syntax peer-...
Page 463
440 if you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default. The name of a key pair must be unique among all manuall...
Page 464
441 generating keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+..........+..............+.............+...+.....+...............+..+... ...+.................+..........+...+....+.......+.....+.........
Page 465
442 system-view [sysname] public-key local create rsa the range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press ctrl+c to abort. Input the modulus length [default = 2048]: generating keys... ...++++++ .++++++ ..++++++++ ....++++++++ create the key pair successfully. # in fip...
Page 466
443 name key-name: specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command destroys all key pairs of the specified type. Usage guidelines to avoid key compromise, de...
Page 467
444 predefined user roles network-admin parameters name key-name: specifies a local dsa key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the loca...
Page 468
445 system-view [sysname] public-key local export dsa openssh ssh-dss aaaab3nzac1kc3maaacbandxjixfhmrmir8yvzbl8ghe8kqj9/5ra4wzto9yzhsg06uil+cm7ozb5sjlhuij3 b7b0t7isntan3w6jsy5h3i2anh+kiuorchyldyjy5sg/wd+azqd3xf+axkjpadu68hrknl/bnjxcittqchqbz wcflfql6xlnolqohgrx9ozaaaafqdhcygmc37i7pk7ty3tmpso2s6rxwaa...
Page 469
446 predefined user roles network-admin parameters name key-name: specifies a local ecdsa key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the lo...
Page 470
447 [sysname] public-key local export ecdsa openssh ecdsa-sha2-nistp256 aaaae2vjzhnhlxnoytitbmlzdhayntyaaaaibmlzdhayntyaaabbbbrew5tkarpbv+syart/xcw+ujeaevx7o cktttlpbilp5bwksdkbvo+3ohruiyzqmnticxubjubap+phc919c58= ecdsa-key related commands public-key local create public-key peer import sshkey publi...
Page 471
448 3. On the peer device, use the public-key peerimport sshkey command to import the host public key from the file. Ssh1.5, ssh2.0, and openssh are different public key formats. Choose the correct public key format that is supported on the device where you import the host public key. In fips mode, ...
Page 472
449 public-key peer use public-key peer to assign a name to a peer host public key and enter public key view, or enter the view of an existing peer host public key. Use undo public-key peer to delete a peer host public key. Syntax public-key peer keyname undo public-key peer keyname default no peer ...
Page 473
450 syntax public-key peer keyname import sshkey filename undo public-key peer keyname default no peer host public keys exist. Views system view predefined user roles network-admin parameters keyname: specifies a name for a peer host public key, a case-sensitive string of 1 to 64 characters. Filenam...
Page 474: Pki Commands
451 pki commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. Ipv6-related parameters are not supp...
Page 475
452 • the subject name field and the issuer name field can contain a single dn, multiple fqdns, and multiple ip addresses. • the alternative subject name field can contain multiple fqdns and ip addresses but zero dns. An attribute rule is a combination of an attribute-value pair with an operation ke...
Page 476
453 default no trusted ca is specified. Views pki domain view predefined user roles network-admin parameters name: specifies the trusted ca by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines to obtain a ca certificate in a pki domain, you must specify the trusted ca name. T...
Page 477
454 • state and country where the entity resides. • fqdn. • ip address. You can specify only one pki entity for a pki domain. If you execute this command multiple times, the most recent configuration takes effect. Examples # specify pki entity en1 for certificate request in pki domain aaa. System-vi...
Page 479
456 examples # set the certificate request mode to auto. System-view [sysname] pki domain aaa [sysname-pki-domain-aaa] certificate request mode auto # set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456. System-view [sysname] pki domain aaa [...
Page 480
457 if the ca server automatically approves certificate requests, the pki entity can obtain the certificate immediately after it submits a certificate request. In this case, the pki entity does not send queries to the ca server. Examples # set the polling interval to 15 minutes, and the maximum numb...
Page 481
458 common-name use common-name to set the common name for a pki entity. Use undo common-name to restore the default. Syntax common-name common-name-sting undo common-name default no common name is set for a pki entity. Views pki entity view predefined user roles network-admin parameters common-name...
Page 482
459 [sysname] pki entity en [sysname-pki-entity-en] country cn crl check use crl check enable to enable crl checking. Use undo crl check enable to disable crl checking. Syntax crl check enable undo crl check enable default crl checking is enabled. Views pki domain view predefined user roles network-...
Page 483
460 predefined user roles network-admin parameters url-string: specifies the url of the crl repository, a case-sensitive string of 1 to 511 characters. The url format is ldap://server_location or http://server_location. The url length is restricted by the cli string limitation or the url-string para...
Page 484
461 usage guidelines if you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # display information about certificate-based access control policy mypolicy. Display pki certificate access-control-policy mypolicy access contro...
Page 485
462 usage guidelines if you do not specify a certificate attribute group, this command displays information about all certificate attribute groups. Examples # display information about certificate attribute group mygroup. Display pki certificate attribute-group mygroup attribute group name: mygroup ...
Page 487
464 subject: c=cn, o=ccc, ou=ppp, cn=rootca subject public key info: public key algorithm: rsaencryption public-key: (1024 bit) modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40: 4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6: 57:7c:bb:bb:1b:1d:b6:81:a...
Page 488
465 bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 exponent: 65537 (0x10001) x509v3 extensions: x509v3 basic constraints: ca:false netscape cert type: ssl client, s/mime x509v3 key usage: digital signature, non repudiation, key encipherment x509v3 extended key usage: tls we...
Page 489
466 de:18:9d:c1 # display brief information about all peer certificates in pki domain aaa. Display pki certificate domain aaa peer total peer certificates: 1 serial number: 9a0337eb2156ba1f5476e4d754a5a9f7 subject name: cn=sldsslserver # display detailed information about a peer certificate in pki d...
Page 490
467 x509v3 crl distribution points: full name: uri:http://s03130.Ccc.Sec.Com:447/ssl.Crl signature algorithm: sha1withrsaencryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:...
Page 491
468 domain name: domain1 renew time : 03:12:05 2016-06-13 renew public key: key type: rsa time when key pair created: 15:40:48 2016/06/13 key code: 30819f300d06092a864886f70d010101050003818d0030818902818100daa4aafefe04c2c9 667269bb8226e26331e30f41a8ff922c7338208097e84332610632b49f75dabf6d871b80ce c1...
Page 492
469 views any view predefined user roles network-admin network-operator parameters domain-name: specifies a pki domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in table 63 . Table 63 special characters character name s...
Page 493
470 table 64 command output field description certificate request transaction number certificate request transaction number, starting from 1. Status certificate request status, including only the pending status. Key usage certificate purposes: • general—signature and encryption. • signature—signatur...
Page 494
471 usage guidelines use this command to identify whether a certificate has been revoked. Examples # display information about the crl saved at the local for pki domain aaa. Display pki crl domain aaa certificate revocation list (crl): version 2 (0x1) signature algorithm: sha1withrsaencryption issue...
Page 495
472 field description keyid key id. This field identifies the key pair used to sign the crl. Signature algorithm: signature algorithm and signature data. Related commands pki retrieve-crl fqdn use fqdn to set the fqdn of an entity. Use undo fqdn to restore the default. Syntax fqdn fqdn-name-string u...
Page 496
473 views pki entity view predefined user roles network-admin parameters ip-address: specifies an ipv4 address. Interface interface-type interface-number: specifies an interface by its type and number. The primary ipv4 address of the interface will be used as the ip address of the pki entity. Usage ...
Page 497
474 • the crl repository uses ldap for crl distribution. However, the crl repository url configured for the pki domain does not contain the ip address or host name of the ldap server. You can specify only one ldap server for a pki domain. If you execute this command multiple times, the most recent c...
Page 498
475 use undo organization to restore the default. Syntax organization org-name undo organization default no organization name is set for a pki entity. Views pki entity view predefined user roles network-admin parameters org-name: specifies an organization name, a case-sensitive string of 1 to 63 cha...
Page 499
476 pki abort-certificate-request use pki abort-certificate-request to abort the certificate request for a pki domain. Syntax pki abort-certificate-request domain domain-name views system view predefined user roles network-admin parameters domain-name: specifies a pki domain by its name, a case-inse...
Page 500
477 undo pki certificate access-control-policy policy-name default no certificate-based access control policies exist. Views system view predefined user roles network-admin parameters policy-name: specifies a policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines a certificat...
Page 501
478 a certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command). If a certificate attribute group does not have any attribute rules, the system determines that the all certificates match the associated access control ...
Page 502
479 to delete a specific peer certificate in a pki domain, perform the following steps: 1. Execute the display pki certificate command to determine the serial number of the peer certificate. 2. Execute the pki delete-certificate domain domain-name peer serial serial-num command. Examples # remove th...
Page 503
480 predefined user roles network-admin parameters domain-name: specifies a pki domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in table 69 . Table 69 special characters character name symbol character name symbol tilde ~ dot...
Page 505
482 aes-192-cbc: specifies 192-bit aes_cbc for encrypting the private key of a local certificate. Aes-256-cbc: specifies 256-bit aes_cbc for encrypting the private key of a local certificate. Des-cbc: specifies des_cbc for encrypting the private key of a local certificate. Pem-key: specifies a passw...
Page 506
483 the specified file name can contain an absolute path. If the specified path does not exist, the export operation fails. Examples # export the ca certificate in the pki domain to a file named cert-ca.Der in der format. System-view [sysname] pki export domain domain1 der ca filename cert-ca.Der # ...
Page 507
484 fh9vc2vyienlcnrpzmljyxrlig9mie9wzw5dqsbmywjzmb0ga1uddgqwbbtpw8fy ut7xr2ct/23zu/ybgu9dqjafbgnvhsmegdawgbqzeq58yic54wxodp6jzzvn/gx0 cdaabgnvhreeezargq9jagt0zxn0qggzyy5jb20wgqydvr0sbbiweieocgtpqg9w zw5jys5vcmcwgyegccsgaqufbwebbhuwczaybggrbgefbqcwaoymahr0cdovl3rp dgful3bras9wdwivy2fjzxj0l2nhy2vydc5j...
Page 508
485 a1uebhmcq04xfdasbgnvbaomc09wzw5dqsbmywjzmrewdwydvqqldahzb2z0d2fy ztenmasga1ueawweywjjzdaefw0xmta0mjyxmzmxmjlafw0xmja0mjuxmzmxmjla me0xczajbgnvbaytaknomrqwegydvqqkdatpcgvuq0egtgficzeomawga1uecwwf vxnlcnmxgdawbgnvbammd2noa3rlc3qgy2hrdgvzddcbnzanbgkqhkig9w0baqef aaobjqawgykcgyea54ruz0ux2kapcee4atpq...
Page 509
486 lk1zosyeve7plnii3bz5khcgo3byyxfluaqryogvjcudaw7uiqqgv0ajq+zaqshi d4kqf5qwgykq55/c5puomcmrgcbmpr2lykqxldjtiazihrz/stp6c+ie2bfxi/yt 3xybo0wdmugokjjpsyktkcbg9ndfbdyfgzeyaobyyqaub3c0/bmfbduwhqwksoye 6vzspgaeiscmal3dip49jpgvkixoshrayf1jlswzjglzem8qvwyzoqkedwq3sv0z cxk8gzdbcsobcumkwiypamd1kapx -----en...
Page 510
487 [sysname]pki export domain domain1 pem ca -----begin certificate----- miib7jccavcceqcdsvshjfemifvg8zrrosswma0gcsqgsib3dqebbquamdcxczaj bgnvbaytamnumqwwcgydvqqkewnom2mxddakbgnvbasta2gzyzemmaoga1ueaxmd ywnhmb4xdtexmdewnjayntc0nfoxdtezmtiwmtazmtmymfowodelmakga1uebhmc y24xddakbgnvbaota2gzyzemmaoga1u...
Page 512
489 • for the local certificates or peer certificates to be imported, the correct ca certificate chain must exist. The ca certificate chain can be stored on the device, or carried in the local certificates or peer certificates. If the pki domain, the local certificates, or the peer certificates do n...
Page 513
490 [sysname] pki import domain aaa pem ca filename rootca_pem.Cer the trusted ca's finger print is: md5 fingerprint:ffff 3eff ffff 37ff ffff 137b ffff 7535 sha1 fingerprint:ffff ff7f ff2b ffff 7618 ff4c ffff 0a7d ffff ff69 is the finger print correct?(y/n):y [sysname] # import ca certificate file a...
Page 514
491 bag attributes localkeyid: 01 00 00 00 subject=/cn=sldsslserver issuer=/c=cn/o=ccc/ou=sec/cn=ssl -----begin certificate----- miicjzccafigawibagirajodn+shvrofvhbk11slqfcwdqyjkozihvcnaqefbqaw nzelmakga1uebhmcy24xddakbgnvbaota2gzyzemmaoga1uecxmdc2vjmqwwcgyd vqqdewnzc2wwhhcnmtaxmde1mdeymza2whcnmtiwn...
Page 515
492 please enter the key pair name: import-key related commands display pki certificate public-key dsa public-key ecdsa public-key rsa pki request-certificate use pki request-certificate to submit a local certificate request or generate a certificate request in pkcs#10 format. Syntax pki request-cer...
Page 516
493 this command is not saved in the configuration file. Examples # display information about the certificate request in pkcs#10 format. System-view [sysname] pki request-certificate domain aaa pkcs10 *** request for general certificate *** -----begin new certificate request----- miibtdcbtgibadanmqs...
Page 517
494 ca: specifies the ca certificate. Local: specifies the local certificates. Peer entity-name: specifies a peer entity by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines in online mode: • you can obtain the ca certificate through the scep protocol. If a ca certificate a...
Page 518
495 predefined user roles network-admin parameters domain-name: specifies a pki domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in table 74 . Table 74 special characters character name symbol character name symbol tild...
Page 521
498 issuer: c=cn o=ccc ou=ppp cn=rootca subject: c=cn o=ccc ou=ppp cn=rootca verify result: ok # verify the local certificates in pki domain aaa. System-view [sysname] pki validate-certificate domain aaa local verifying certificates...... Serial number: bc:05:70:1f:0e:da:0d:10:16:1e issuer: c=cn o=s...
Page 522
499 predefined user roles network-admin parameters name key-name: specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-). Length key-length: specifies the key length, in bits. In non-fips mode, the value ...
Page 525
502 the length key-length option takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and length before submitting a certificate request. The length key-length option is ignored if the specified key pair already exists...
Page 526
503 usage guidelines if you set the certificate request mode to auto for a pki domain that does not have a ca certificate, you must configure the fingerprint for ca certificate verification. When an application, like ike, triggers the device to request local certificates, the device automatically pe...
Page 527
504 predefined user roles network-admin parameters id: assigns an id to the access control rule, in the range of 1 to 16. The default setting is the smallest unused id in this range. Deny: denies the certificates that match the associated attribute group. Permit: permits the certificates that match ...
Page 528
505 predefined user roles network-admin parameters ip: specifies a source ipv4 address. Ipv6: specifies a source ipv6 address. Ip-address: specifies the ipv4 or ipv6 address. Interface interface-type interface-number: specifies an interface by its type and number. The interface's primary ip address ...
Page 529
506 predefined user roles network-admin parameters state-name: specifies a state or province by its name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # set the state name to countrya for pki entity en. System-view [sysname] pki entity en [sysname-pki-entity-en] ...
Page 530
507 if you configure this command multiple times, the most recent configuration takes effect. Examples # configure the dn for pki entity en. System-view [sysname] pki entity en [sysname-pki-entity-en] subject-dn cn=test,c=cn,o=abc,ou=rdtest,ou=rstest,st=countrya,l=pukras related commands common-name...
Page 531
508 [sysname-pki-domain-aaa] usage ike vpn-instance use vpn-instance to specify the vpn instance where the certificate request reception authority and the crl repository belong. Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance default the certific...
Page 532: Ipsec Commands
509 ipsec commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. The gdoi ipsec policy negotiation ...
Page 533
510 hardware keyword compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe /810-lm-hk/810-w-lm-hk/810-lms/810-lus yes msr2600-10-x1 no msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620-dp/3640/3660 yes msr5...
Page 534
511 usage guidelines you can configure different descriptions for ipsec policies, ipsec policy templates, or ipsec profiles to distinguish them. Examples # configure the description for ipsec policy 1 as centertoa. System-view [sysname] ipsec policy policy1 1 isakmp [sysname-ipsec-policy-isakmp-poli...
Page 535
512 security data flow: remote address: 2.5.2.1 transform set: transform inbound ah setting: ah spi: 1200 (0x000004b0) ah string-key: ****** ah authentication hex key: inbound esp setting: esp spi: 1400 (0x00000578) esp string-key: esp encryption hex key: esp authentication hex key: outbound ah sett...
Page 536
513 interface: loopback2 ------------------------------------------- ----------------------------- sequence number: 1 mode: manual ----------------------------- description: this is my complete policy security data flow: 3100 remote address: 2.2.2.2 transform set: completetransform inbound ah settin...
Page 537
514 sa duration(traffic based): 1843200 kilobytes sa idle time: # display information about all ipv6 ipsec policies. Display ipsec ipv6-policy ------------------------------------------- ipsec policy: mypolicy ------------------------------------------- ----------------------------- sequence number:...
Page 538
515 field description mode negotiation mode of the ipsec policy: • manual—manual mode. • isakmp—ike negotiation mode. • template—ipsec policy template mode. • gdoi—gdoi mode. The policy configuration is incomplete ipsec policy configuration incomplete. Possible causes include: • the acl is not confi...
Page 540
517 ipsec sa local duration(traffic based): 1843200 kilobytes sa idle time: # display information about all ipv6 ipsec policy templates. Display ipsec ipv6-policy-template ----------------------------------------------- ipsec policy template: template6 -----------------------------------------------...
Page 542
519 table 78 command output field description ipsec profile ipsec profile name. Mode negotiation mode used by the ipsec profile, manual or ike. Description description of the ipsec profile. Transform set ipsec transform set used by the ipsec profile. Related commands ipsec profile display ipsec sa u...
Page 543
520 display ipsec sa brief ----------------------------------------------------------------------- interface/global dst address spi protocol status ----------------------------------------------------------------------- ge1/0/1 10.1.1.1 400 esp active ge1/0/1 255.255.255.255 4294967295 esp active ge...
Page 544
521 dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip [inbound esp sas] spi: 3564837569 (0xd47b1ac1) connection id： 1 transform set: esp-encrypt-aes-cbc-128 esp-auth-sha1 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 max received sequence-...
Page 545
522 field description sequence number sequence number of the ipsec policy entry. Mode negotiation mode used by the ipsec policy: • manual • isakmp • template • gdoi tunnel id ipsec tunnel id. Encapsulation mode encapsulation mode, transport or tunnel. Perfect forward secrecy perfect forward secrecy ...
Page 546
523 field description max sent sequence-number max sequence number in the sent packets. Anti-replay check enable whether anti-replay checking is enabled. Udp encapsulation used for nat traversal whether nat traversal is used by the ipsec sa. Status status of the ipsec sa: active or standby. In a vsr...
Page 547
524 encapsulation failure: 0 decapsulation failure: 0 replayed packets: 0 acl check failure: 45 mtu check failure: 0 loopback limit exceeded: 0 crypto speed limit exceeded: 0 # display statistics for the packets of ipsec tunnel 1. Display ipsec statistics tunnel-id 1 ipsec packet statistics: receive...
Page 548
525 related commands reset ipsec statistics display ipsec transform-set use display ipsec transform-set to display information about ipsec transform sets. Syntax display ipsec transform-set [ transform-set-name ] views any view predefined user roles network-admin network-operator parameters transfor...
Page 549
526 field description state whether the ipsec transform set is complete. Encapsulation mode encapsulation mode used by the ipsec transform set: transport or tunnel. Esn whether extended sequence number (esn) is enabled. Pfs perfect forward secrecy (pfs) used by the ipsec policy for negotiation: • 76...
Page 550
527 ---------------------------------------------------------------------------- tunn-id src address dst address inbound spi outbound spi status ---------------------------------------------------------------------------- 0 -- -- 1000 2000 active 3000 4000 1 1.2.3.1 2.2.2.2 5000 6000 active 7000 800...
Page 551
528 inside vpn-instance: sa's spi: outbound: 6000 (0x00001770) [ah] inbound: 5000 (0x00001388) [ah] outbound: 8000 (0x00001f40) [esp] inbound: 7000 (0x00001b58) [esp] tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 flow: as defined in acl 3100 # display detailed information about ipsec tunnel...
Page 552
529 field description flow information about the data flow protected by the ipsec tunnel, including source ip address, destination ip address, source port, destination port, and protocol. As defined in acl 3001 range of data flow protected by the ipsec tunnel that is established manually. This infor...
Page 553
530 system-view [sysname] ipsec transform-set tran1 [sysname-ipsec-transform-set-tran1] encapsulation-mode transport related commands ipsec transform-set esn enable use esn enable to enable the extended sequence number (esn) feature. Use undo esn enable to disable the esn feature. Syntax esn enable ...
Page 555
532 system-view [sysname] ipsec transform-set tran1 [sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1 related commands ipsec transform-set esp encryption-algorithm use esp encryption-algorithm to specify encryption algorithms for esp. Use undo esp encryption-algorithm to restore ...
Page 556
533 camellia-cbc-256: uses the camellia algorithm in cbc mode, which uses a 256-bit key. This keyword is available only for ikev2. Des-cbc: uses the des algorithm in cbc mode, which uses a 64-bit key. Gmac-128: uses the gmac algorithm, which uses a 128-bit key. This keyword is available only for ike...
Page 557
534 hardware keyword compatibility msr2600-10-x1 no msr 2630 no msr3600-28/3600-51 no msr3600-28-si/3600-51-si no msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620-dp/3640/3660 yes msr5620/5660/5680 yes usage guidelines you can specify multiple esp encryption algorithms for one i...
Page 558
535 parameters profile-name: specifies an ike profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines the ike profile specified for an ipsec policy, ipsec policy template, or ipsec profile defines the parameters used for ike negotiation. You can specify only one ike pr...
Page 559
536 related commands display ipsec ipv6-policy display ipsec policy ikev2 profile ipsec anti-replay check use ipsec anti-replay check to enable ipsec anti-replay checking. Use undo ipsec anti-replay check to disable ipsec anti-replay checking. Syntax ipsec anti-replay check undo ipsec anti-replay ch...
Page 560
537 default the anti-replay window size is 64. Views system view predefined user roles network-admin parameters width: specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets. Usage guidelines changing the anti-replay window size affects only the ipsec sas negotia...
Page 561
538 an ike-based ipsec policy can be applied to multiple interfaces. A manual ipsec policy can be applied to only one interface. Examples # apply the ipsec policy policy1 to interface gigabitethernet 1/0/1. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] ipsec ap...
Page 562
539 default the df bit is not configured for the outer ip header of ipsec packets on an interface. The global df bit setting is used. Views interface view predefined user roles network-admin parameters clear: clears the df bit in the outer ip header. Ipsec packets can be fragmented. Copy: copies the...
Page 563
540 parameters after-encryption: fragments packets after ipsec encapsulation. Before-encryption: fragments packets before ipsec encapsulation. Usage guidelines if you configure the device to fragment packets before ipsec encapsulation, the device predetermines the encapsulated packet size before the...
Page 564
541 examples # set the df bit in the outer ip header of ipsec packets on all interfaces. System-view [sysname] ipsec global-df-bit set related commands ipsec df-bit ipsec limit max-tunnel use ipsec limit max-tunnel to set the maximum number of ipsec tunnels. Use undo ipsec limit max-tunnel to restor...
Page 565
542 predefined user roles network-admin usage guidelines this command enables the device to output logs for the ipsec negotiation process. This command is available only in non-fips mode. Examples # enable logging for ipsec negotiation. System-view [sysname] ipsec logging negotiation enable ipsec lo...
Page 566
543 default no ipsec policies exist. Views system view predefined user roles network-admin parameters ipv6-policy: specifies an ipv6 ipsec policy. Policy: specifies an ipv4 ipsec policy. Policy-name: specifies a name for the ipsec policy, a case-insensitive string of 1 to 63 characters. Seq-number: ...
Page 571
548 default ipsec redundancy is disabled. Views system view predefined user roles network-admin usage guidelines with ipsec redundancy enabled, the system synchronizes the following information from the active device to the standby device at configurable intervals: • lower bound values of the ipsec ...
Page 572
549 usage guidelines you can also configure ipsec sa lifetimes in ipsec policy view or ipsec policy template view. The device prefers the ipsec sa lifetimes configured in ipsec policy view or ipsec policy template view over the global ipsec sa lifetimes. When ike negotiates ipsec sas, it uses the lo...
Page 573
550 related commands display ipsec sa sa idle-time ipsec transform-set use ipsec transform-set to create an ipsec transform set and enter its view, or enter the view of an existing ipsec transform set. Use undo ipsec transform-set to delete an ipsec transform set. Syntax ipsec transform-set transfor...
Page 574
551 default the primary ipv4 address of the interface to which the ipsec policy is applied is used as the local ipv4 address. The first ipv6 address of the interface to which the ipsec policy is applied is used as the local ipv6 address. Views ipsec policy view ipsec policy template view predefined ...
Page 575
552 predefined user roles network-admin parameters dh-group1: uses 768-bit diffie-hellman group. Dh-group2: uses 1024-bit diffie-hellman group. Dh-group5: uses 1536-bit diffie-hellman group. Dh-group14: uses 2048-bit diffie-hellman group. Dh-group24: uses 2048-bit and 256-bit subgroup diffie-hellman...
Page 576
553 ah: specifies the ah protocol. Usage guidelines the two tunnel ends must use the same security protocol in the ipsec transform set. Examples # specify the ah protocol for the ipsec transform set. System-view [sysname] ipsec transform-set tran1 [sysname-ipsec-transform-set-tran1] protocol ah qos ...
Page 577
554 default the active device synchronizes the anti-replay window lower bound value every time it receives 1000 packets and synchronizes the sequence number every time it sends 100000 packets. Views ipsec policy view ipsec policy template view predefined user roles network-admin parameters inbound i...
Page 578
555 views ipsec policy view ipsec policy template view predefined user roles network-admin parameters ipv6: specifies the remote address or host name of an ipv6 ipsec tunnel. To specify the remote address or host name of an ipv4 ipsec tunnel, do not specify this keyword. Hostname: specifies the remo...
Page 580
557 after a manual ipsec sa is cleared, the system automatically creates a new sa based on the parameters of the ipsec policy. After ike negotiated sas are cleared, the system creates new sas only when ike negotiation is triggered by packets. Examples # clear all ipsec sas. Reset ipsec sa # clear th...
Page 581
558 undo reverse-route dynamic default ipsec rri is disabled. Views ipsec policy view ipsec policy template view predefined user roles network-admin parameters next-hop: specifies a next hop ip address for the ipsec pri-created static route. If you do not specify a next hop ip address, the static ro...
Page 582
559 # display the routing table. You can see a created static route. (other information is not shown.) [sysname] display ip routing-table ... Destination/mask proto pre cost nexthop interface 4.0.0.0/24 static 60 0 2.2.2.3 ge1/0/1 related commands display ip routing-table (layer 3—ip routing command...
Page 583
560 use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag default the route tag value is 0 for the static routes created by ipsec rri. Views ipsec policy view ipsec policy template view predefined user roles network-admin parameters tag-value: s...
Page 584
561 predefined user roles network-admin parameters time-based seconds: specifies the time-based sa lifetime in the range of 180 to 604800 seconds. Traffic-based kilobytes: specifies the traffic-based sa lifetime in the range of 2560 to 4294967295 kilobytes. Usage guidelines ike prefers the sa lifeti...
Page 585
562 parameters inbound: specifies a hexadecimal authentication key for inbound sas. Outbound: specifies a hexadecimal authentication key for outbound sas. Ah: uses ah. Esp: uses esp. Cipher: specifies a key in encrypted form. Simple: specifies a key in plaintext form. For security purposes, the key ...
Page 586
563 views ipsec policy view ipsec profile view predefined user roles network-admin parameters inbound: specifies a hexadecimal encryption key for inbound sas. Outbound: specifies a hexadecimal encryption key for outbound sas. Esp: uses esp. Cipher: specifies a key in encrypted form. Simple: specifie...
Page 587
564 [sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef [sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234 related commands display ipsec sa sa string-key sa idle-time use sa idle-time to set the ipsec ...
Page 590
567 examples # configure the inbound and outbound sas that use ah to use the plaintext keys abcdef and efcdab, respectively. System-view [sysname] ipsec policy policy1 100 manual [sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef [sysname-ipsec-policy-manual-policy1-100...
Page 591
568 • aggregation mode—one ipsec tunnel protects all data flows permitted by all the rules of an acl. This mode is only used to communicate with old-version devices. • per-host mode—one ipsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one acl rule and pro...
Page 592
569 views system view predefined user roles network-admin parameters auth-failure: specifies notifications about authentication failures. Decrypt-failure: specifies notifications about decryption failures. Encrypt-failure: specifies notifications about encryption failures. Global: specifies notifica...
Page 593
570 views ipsec policy view ipsec policy template view predefined user roles network-admin usage guidelines the tfc padding feature can hide the length of the original packet, and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on udp packets encapsu...
Page 594
571 you can specify a maximum of six ipsec transform sets for an ike-based ipsec policy. During an ike negotiation, ike searches for a fully matched ipsec transform set at the two ends of the ipsec tunnel. If no match is found, no sa can be set up, and the packets expecting to be protected will be d...
Page 595
572 related commands interface tunnel (layer 3—ip services command reference) display interface tunnel (layer 3—ip services command reference) ipsec profile.
Page 596: Ike Commands
573 ike commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. Aaa authorization use aaa authorizat...
Page 597
574 examples # create the ike profile profile1. System-view [sysname] ike profile profile1 # enable aaa authorization. Specify the isp domain abc and the username test. [sysname-ike-profile-profile1] aaa authorization domain abc username test authentication-algorithm use authentication-algorithm to ...
Page 598
575 hardware keyword compatibility msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620-dp/3640/3660 yes msr5620/5660/5680 yes examples # specify hmac-sha1 as the authentication algorithm for ike proposal 1. System-view [sysname] ike proposal 1 [sysname-ike-proposal-1] authenticatio...
Page 599
576 examples # specify pre-shared key authentication to be used in ike proposal 1. System-view [sysname] ike proposal 1 [sysname-ike-proposal-1] authentication-method pre-share related commands display ike proposal ike keychain pre-shared-key certificate domain use certificate domain to specify a pk...
Page 600
577 − the automatic certificate request mode is configured for the pki domain. If the conditions are not met, you must manually obtain the ca certificate. Ike first automatically obtains the ca certificate, and then requests a local certificate. If the ca certificate already exists locally, ike auto...
Page 601
578 related commands local-user description use description to configure a description for an ike proposal. Use undo description to restore the default. Syntax description text undo description default an ike proposal does not have a description. Views ike proposal view predefined user roles network...
Page 602
579 views ike proposal view predefined user roles network-admin parameters group1: uses the 768-bit diffie-hellman group. Group14: uses the 2048-bit diffie-hellman group. Group2: uses the 1024-bit diffie-hellman group. Group24: uses the 2048-bit diffie-hellman group with the 256-bit prime order subg...
Page 603
580 1 rsa-sig sha1 des-cbc group 1 5000 11 pre-shared-key sha1 des-cbc group 1 50000 default pre-shared-key sha1 des-cbc group 1 86400 table 85 command output field description priority priority of the ike proposal authentication method authentication method used by the ike proposal. Authentication ...
Page 604
581 remote-address: displays detailed information about ike sas with the specified remote address. Ipv6: specifies an ipv6 address. Remote-address: remote ip address. Vpn-instance vpn-instance-name: displays detailed information about ike sas in an mpls l3vpn instance. The vpn-instance-name argument...
Page 605
582 remote ip: 4.4.4.5 remote id type: ipv4_addr remote id: 4.4.4.5 authentication-method: pre-shared-key authentication-algorithm: sha1 encryption-algorithm: aes-cbc-128 life duration(sec): 86400 remaining key duration(sec): 86379 exchange-mode: main diffie-hellman group: group 1 nat traversal: not...
Page 606
583 table 87 command output field description connection id identifier of the ike sa. Outside vpn vpn instance name of the mpls l3vpn to which the receiving interface belongs. Inside vpn vpn instance name of the mpls l3vpn to which the protected data belongs. Profile name of the matching ike profile...
Page 607
584 display ike statistics use display ike statistics to display ike statistics. Syntax display ike statistics views any view predefined user roles network-admin network-operator examples # display ike statistics. Display ike statistics ike statistics: no matching proposal: 0 invalid id information:...
Page 610
587 hardware keyword compatibility msr5620/5660/5680 yes sm4-cbc: uses the sm4 algorithm in cbc mode, which uses a 128-bit key. This keyword is available only for ikev1. The following matrix shows the sm4-cbc keyword and hardware compatibility: hardware keyword compatibility msr810/810-w/810-w-db/81...
Page 611
588 predefined user roles network-admin parameters aggressive: specifies the aggressive mode. Main: specifies the main mode. Usage guidelines as a best practice, specify the aggressive mode at the local end if the following conditions are met: • the local end, for example, a dialup user, obtains an ...
Page 612
589 to modify or delete an address pool, you must delete all ike sas and ipsec sas. Otherwise, the assigned ipv4 addresses might not be reclaimed. Examples # configure an ike ipv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask 255.255.255.0. System-view [sysname...
Page 613
590 examples # configure dpd to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. System-view [sysname] ike dpd interval 10 retry 5 on-demand related commands dpd ike identity use ike identity to specify the global identity used by the local end during i...
Page 614
591 system-view [sysname] ike identity address 2.2.2.2 related commands local-identity ike signature-identity from-certificate ike invalid-spi-recovery enable use ike invalid-spi-recovery enable to enable invalid security parameter index (spi) recovery. Use undo ike invalid-spi-recovery enable to di...
Page 615
592 default no ike keepalives are sent. Views system view predefined user roles network-admin parameters interval: specifies the number of seconds between ike keepalives, in the range of 20 to 28800. Usage guidelines to detect the status of the peer, configure ike dpd instead of the ike keepalive fe...
Page 616
593 the keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval. Examples # ...
Page 618
595 views system view predefined user roles network-admin usage guidelines this command enables the device to output logs for the ike negotiation process. This command is available only in non-fips mode. Examples # enable logging for ike negotiation. System-view [sysname] ike logging negotiation ena...
Page 619
596 syntax ike profile profile-name undo ike profile profile-name default no ike profiles exist. Views system view predefined user roles network-admin parameters profile-name: specifies an ike profile name, a case-insensitive string of 1 to 63 characters. Examples # create ike profile 1 and enter it...
Page 620
597 usage guidelines during ike negotiation: • the initiator sends its ike proposals to the peer. If the initiator is using an ipsec policy with an ike profile, the initiator sends all ike proposals specified for the ike profile to the peer. An ike proposal specified earlier for the ike profile has ...
Page 621
598 examples # configure the local device to always obtain the identity information from the local certificate for signature authentication. System-view [sysname] ike signature-identity from-certificate related commands local-identity ike identity inside-vpn use inside-vpn to specify an inside vpn i...
Page 622
599 undo keychain keychain-name default no ike keychain is specified for pre-shared key authentication. Views ike profile view predefined user roles network-admin parameters keychain-name: specifies an ike keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines you can speci...
Page 623
600 fqdn fqdn-name: uses an fqdn as the local id. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.Test.Com. If you do not specify this argument, the device name configured by using the sysname command is used as the local fqdn. User-fqdn user-fqdn-name: uses a u...
Page 624
601 vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the ipv4 or ipv6 address belongs. The vpn-instance-name argument represents the vpn instance name, a case-sensitive string of 1 to 31 characters. To specify an ip address on the public network, do not specify this option....
Page 625
602 usage guidelines use this command to specify which address or interface can use the ike profile for ike negotiation. Specify the local address configured in ipsec policy or ipsec policy template view (using the local-address command) for this command. If no local address is configured, specify t...
Page 626
603 • address range low-ipv4-address high-ipv4-address: uses a range of ipv4 addresses as the peer id for ike profile matching. The end address must be higher than the start address. • address ipv6 ipv6-address [ prefix-length ]: uses an ipv6 host address or an ipv6 subnet address as the peer id for...
Page 628
605 [sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456testplat&! Related commands authentication-method keychain priority (ike keychain view) use priority to specify a priority for an ike keychain. Use undo priority to restore the default. Syntax priority pr...
Page 629
606 views ike profile view predefined user roles network-admin parameters priority priority: specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority. Usage guidelines to determine the priority of an ike profile, the device examines the existen...
Page 630
607 [sysname-ike-profile-prof1] proposal 10 related commands ike proposal reset ike sa use reset ike sa to delete ike sas. Syntax reset ike sa [ connection-id connection-id ] views user view predefined user roles network-admin parameters connection-id connection-id: specifies the connection id of th...
Page 631
608 views user view predefined user roles network-admin examples # clears ike mib statistics. Reset ike statistics related commands snmp-agent trap enable ike sa duration use sa duration to set the ike sa lifetime for an ike proposal. Use undo sa duration to restore the default. Syntax sa duration s...
Page 633
610 examples # enable snmp notifications for ike globally. System-view [sysname] snmp-agent trap enable ike global # enable snmp notifications for events of creating ike tunnels. [sysname] snmp-agent trap enable ike tunnel-start.
Page 634: Ikev2 Commands
611 ikev2 commands aaa authorization use aaa authorization to enable ikev2 aaa authorization. Use undo aaa authorization to disable ikev2 aaa authorization. Syntax aaa authorization domain domain-name username user-name undo aaa authorization default ikev2 aaa authorization is disabled. Views ikev2 ...
Page 637
614 [sysname-ikev2-profile-profile1] keychain keychain1 related commands display ikev2 profile certificate domain (ikev2 profile view) keychain (ikev2 profile view) certificate domain use certificate domain to specify a pki domain for signature authentication in ikev2 negotiation. Use undo certifica...
Page 640
617 display ikev2 profile use display ikev2 profile to display the ikev2 profile configuration. Syntax display ikev2 profile [ profile-name ] views any view predefined user roles network-admin network-operator parameters profile-name: specifies an ikev2 profile by its name, a case-insensitive string...
Page 641
618 field description match criteria criteria for looking up the ikev2 profile. Local identity id of the local end. Local authentication method method that the local end uses for authentication. Remote authentication methods methods that the remote end uses for authentication. Keychain ikev2 keychai...
Page 642
619 usage guidelines this command displays ikev2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all ikev2 proposals. Examples # display the configuration of all ikev2 proposals. Display ikev2 proposal ikev2 proposal : 1 e...
Page 643
620 ipv4-address: specifies a local or remote ipv4 address. Ipv6 ipv6-address: specifies a local or remote ipv6 address. Vpn-instance vpn-instance-name: displays information about the ikev2 sas in a vpn instance. The vpn-instance-name argument represents the vpn instance name, a case-sensitive strin...
Page 644
621 inside vrf: - local spi: 8f8af3dbf5023a00 remote spi: 0131565b9b3155fa local id type: fqdn local id: device_a remote id type: fqdn remote id: device_b auth sign method: pre-shared key auth verify method: pre-shared key integrity algorithm: hmac_md5 prf algorithm: hmac_md5 encryption algorithm: a...
Page 645
622 auth verify method: pre-shared key integrity algorithm: hmac_md5 prf algorithm: hmac_md5 encryption algorithm: aes-cbc-192 life duration: 86400 secs remaining key duration: 85604 secs diffie-hellman group: modp1024/group2 nat traversal: not detected dpd: interval 30 secs, retry interval 10 secs ...
Page 646
623 field description prf algorithm prf algorithms that the ikev2 proposal uses. Encryption algorithm encryption algorithms that the ikev2 proposal uses. Life duration lifetime of the ikev2 sa, in seconds. Remaining key duration remaining lifetime of the ikev2 sa, in seconds. Diffie-hellman group dh...
Page 647
624 unsupported critical payload: 0 invalid ike spi: 0 invalid major version: 0 invalid syntax: 0 invalid message id: 0 invalid spi: 0 no proposal chosen: 0 invalid ke payload: 0 authentication failed: 0 single pair required: 0 ts unacceptable: 0 invalid selectors: 0 tempture failure: 0 no child sa:...
Page 648
625 predefined user roles network-admin parameters group1: uses the 768-bit diffie-hellman group. Group2: uses the 1024-bit diffie-hellman group. Group5: uses the 1536-bit diffie-hellman group. Group14: uses the 2048-bit diffie-hellman group. Group24: uses the 2048-bit diffie-hellman group with the ...
Page 649
626 retry seconds: specifies the dpd retry interval in the range of 2 to 60 seconds. The default is 5 seconds. On-demand: triggers dpd on demand. The device triggers dpd if it has ipsec traffic to send and has not received any ipsec packets from the peer for the specified interval. Periodic: trigger...
Page 650
627 aes-cbc-256: uses the aes algorithm in cbc mode, which uses a 256-bit key. Aes-ctr-128: uses the aes algorithm in ctr mode, which uses a 128-bit key. Aes-ctr-192: uses the aes algorithm in ctr mode, which uses a 192-bit key. Aes-ctr-256: uses the aes algorithm in ctr mode, which uses a 256-bit k...
Page 651
628 [sysname] ikev2 keychain key1 # create an ikev2 peer named peer1. [sysname-ikev2-keychain-key1] peer peer1 # specify the host name test of the ikev2 peer. [sysname-ikev2-keychain-key1-peer-peer1] hostname test related commands ikev2 keychain peer identity use identity to specify the id of an ike...
Page 652
629 # specify the peer ipv4 address 1.1.1.2 as the id of the ikev2 peer. [sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2 related commands ikev2 keychain peer identity local use identity local to configure the local id, the id that the device uses to identify itself to the peer duri...
Page 654
631 undo ikev2 cookie-challenge default the cookie challenging feature is disabled. Views system view predefined user roles network-admin parameters number: specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 1 to 1000 half-open ike sas. Usage ...
Page 655
632 periodic: triggers dpd at regular intervals. The device triggers dpd at the specified interval. Usage guidelines dpd is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of ikev2 peers. For an earlier detection of dea...
Page 656
633 usage guidelines different from the ikev2 ipv4 address pool, the device assigns an ipv6 subnet to a peer from the ikev2 ipv6 address pool. The peer can use the assigned ipv6 subnet to assign ipv6 addresses to other devices. Ikev2 ipv6 address pools cannot overlap with each other. Examples # conf...
Page 657
634 use undo ikev2 nat-keepalive to restore the default. Syntax ikev2 nat-keepalive seconds undo ikev2 nat-keepalive default the nat keepalive interval is 10 seconds. Views system view predefined user roles network-admin parameters seconds: specifies the nat keepalive interval in seconds, in the ran...
Page 658
635 usage guidelines each end must have an ikev2 policy for the ike_sa_init exchange. The initiator looks up an ikev2 policy by the ip address of the interface to which the ipsec policy is applied and the vpn instance to which the interface belongs. The responder looks up an ikev2 policy by the ip a...
Page 659
636 system-view [sysname] ikev2 profile profile1 [sysname-ikev2-profile-profile1] related commands display ikev2 profile ikev2 proposal use ikev2 proposal to create an ikev2 proposal and enter its view, or enter the view of an existing ikev2 proposal. Use undo ikev2 proposal to delete an ikev2 propo...
Page 660
637 examples # create an ikev2 proposal named prop1. Specify the encryption algorithm aes-cbc-128, integrity protection algorithm sha1, prf algorithm sha1, and dh group 2. System-view [sysname] ikev2 proposal prop1 [sysname-ikev2-proposal-prop1] encryption aes-cbc-128 [sysname-ikev2-proposal-prop1] ...
Page 662
639 use undo keychain to restore the default. Syntax keychain keychain-name undo keychain default no ikev2 keychain is specified for an ikev2 profile. Views ikev2 profile view predefined user roles network-admin parameters keychain-name: specifies an ikev2 keychain by its name. The keychain name is ...
Page 663
640 predefined user roles network-admin parameters address: specifies a local interface or ip address to which an ikev2 profile can be applied. Interface-type interface-number: specifies a local interface by its type and number. It can be any layer 3 interface. Ipv4-address: specifies the ipv4 addre...
Page 664
641 predefined user roles network-admin parameters interface-type interface-number: specifies a local interface by its type and number. It can be any layer 3 interface. Ipv4-address: specifies the ipv4 address of a local interface. Ipv6 ipv6-address: specifies the ipv6 address of a local interface. ...
Page 666
643 undo match vrf default no vpn instance is specified, and the ikev2 policy matches all local ip addresses in the public network. Views ikev2 policy view predefined user roles network-admin parameters name vrf-name: specifies a vpn instance by its name, a case-sensitive string of 1 to 31 character...
Page 667
644 parameters name vrf-name: specifies a vpn instance by its name, a case-sensitive string of 1 to 31 characters. Any: specifies the public network and all vpn instances. Usage guidelines if an ikev2 profile belongs to a vpn instance, only interfaces in the vpn instance can use the ikev2 profile fo...
Page 668
645 [sysname-ikev2-profile-profile1]nat-keepalive 1200 related commands display ikev2 profile ikev2 nat-keepalive peer use peer to create an ikev2 peer and enter its view, or enter the view of an existing ikev2 peer. Use undo peer to delete an ikev2 peer. Syntax peer name undo peer name default no i...
Page 670
647 system-view [sysname] ikev2 keychain telecom # create an ikev2 peer named peer1. [sysname-ikev2-keychain-telecom] peer peer1 # configure the symmetric plaintext pre-shared key 111-key. [sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key [sysname-ikev2-keychain-telecom-pe...
Page 671
648 sha512: uses the hmac-sha512 algorithm. Usage guidelines you can specify multiple prf algorithms for an ikev2 proposal. An algorithm specified earlier has a higher priority. Examples # create an ikev2 proposal named prop1. System-view [sysname] ikev2 proposal prop1 # specify hmac-sha1 and hmac-m...
Page 672
649 priority (ikev2 profile view) use priority to set a priority for an ikev2 profile. Use undo priority to restore the default. Syntax priority priority undo priority default the priority of an ikev2 profile is 100. Views ikev2 profile view predefined user roles network-admin parameters priority: s...
Page 673
650 usage guidelines you can specify multiple ikev2 proposals for an ikev2 policy. A proposal specified earlier has a higher priority. Examples # specify the ikev2 proposal proposal1 for the ikev2 policy policy1. System-view [sysname] ikev2 policy policy1 [sysname-ikev2-policy-policy1] proposal prop...
Page 674
651 -------------------------------------------------------------------- 1 1.1.1.1/500 1.1.1.2/500 est 2 2.2.2.1/500 2.2.2.2/500 est status: in-nego: negotiating, est: established, del: deleting # delete the ikev2 sa whose remote ip address is 1.1.1.2. Reset ikev2 sa remote 1.1.1.2 display ikev2 sa ...
Page 675
652 predefined user roles network-admin parameters seconds: specifies the ikev2 sa lifetime in seconds, in the range of 120 to 86400. Usage guidelines an ikev2 sa can be used for subsequent ikev2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the life...
Page 676: Group Domain Vpn Commands
653 group domain vpn commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. The following matrix sh...
Page 677
654 examples # set the anti-replay window size to 50 seconds for gdoi gm group group1. System-view [sysname] gdoi gm group group1 [sysname-gdoi-gm-group-group1] client anti-replay window sec 50 related commands display gdoi gm anti-replay client registration use client registration to specify a regi...
Page 679
656 client transform-sets use client transform-sets to specify ipsec transform sets supported by a gm. Use undo client transform-sets to restore the default. Syntax client transform-sets transform-set-name& undo client transform-sets default a gm supports the ipsec transform set configured with the ...
Page 680
657 syntax display gdoi gm [ group group-name ] views any view predefined user roles network-admin network-operator parameters group group-name: specifies a gdoi gm group by its name. A gdoi gm group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command...
Page 681
658 rule 1 deny ospf rule 2 permit icmp kek: rekey transport type : multicast remaining key lifetime : 159 sec encryption algorithm : aes-cbc key size : 128 signature algorithm : rsa signature hash algorithm : sha1 signature key length : 1024 bits tek: spi : 0x9ae5951e(2598737182) transform : esp-en...
Page 682
659 rekeys cumulative: total received : 52 rekeys after latest registration: 3 total rekey acks sent : 23 acl downloaded from ks 90.1.1.2: rule 0 deny udp source-port eq 848 destination-port eq 848 rule 1 deny ospf rule 2 permit icmp kek: rekey transport type : unicast remaining key lifetime : 159 s...
Page 683
660 field description re-register in period of time after which the gm re-registers with a ks. N/a indicates that the gm does not re-register with a ks. Succeeded registrations number of successful registrations. Attempted registrations number of registration attempts. Last rekey from ks from which ...
Page 685
662 group name: ipv6 acl configured locally: ipsec policy name: gdoi-group1 ipv6 acl identifier: 3001 rule 0 permit ipv6 source 1::/64 destination 2::/64 # display information about acls that the gm downloaded from the ks. Display gdoi gm acl download group name: abc acl downloaded from ks 12.1.1.10...
Page 686
663 examples # display anti-replay information for all gdoi gm groups. Display gdoi gm anti-replay group name: abc anti-replay timestamp type : posix-time anti-replay window : 200.16 ms related commands client anti-replay window display gdoi gm ipsec sa use display gdoi gm ipsec sa to display ipsec ...
Page 687
664 field description transform transform set. Remaining key lifetime remaining lifetime of the ipsec sa, in seconds. Display gdoi gm members use display gdoi gm members to display brief information about the gm. Syntax display gdoi gm members [ group group-name ] views any view predefined user role...
Page 688
665 field description registered with ip address or host name of the ks with which the gm registers. If the host name is displayed, this field also displays the ip address of the host in brackets. Re-register in period of time after which the gm re-registers with a ks. Succeeded registrations number...
Page 689
666 d3721818 b66201f0 bd1987be dd28d533 c38e7d42 939d2b71 3faaa17a 128df862 e45c531d a0c8593e d7d602e9 7a7e675a 94af6b25 2972cf85 94e601bd 19020301 0001 table 97 command output field description group name gdoi gm group name. Ks address ipv4 or ipv6 address of the ks. Conn-id id of the rekey sa. My ...
Page 690
667 group name: gdoi-group1 (multicast) number of rekeys received (cumulative) : 1904 number of rekeys received after registration : 889 multicast destination address : 239.192.1.190 rekey (kek) sa information: destination source conn-id my cookie his cookie new : 239.192.1.190 90.1.1.1 9646 14406d2...
Page 691
668 parameters ipv6: specifies an ipv6 gdoi gm group. If you do not specify this keyword, the command creates an ipv4 gdoi gm group. Group-name: specifies a name for the gdoi gm group, a case-insensitive string of 1 to 63 characters. Usage guidelines ipv4 gdoi gm groups and ipv6 gdoi gm groups share...
Page 693
670 views user view predefined user roles network-admin parameters group group-name: specifies a gdoi gm group by its name. A gdoi gm group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command clears gdoi information for all gm groups. Examples # clear...
Page 694
671 [sysname-gdoi-gm-group-abc] server address 3.3.3.4.
Page 695: Ssh Commands
672 ssh commands commands and descriptions for centralized devices apply to the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr2600-10-x1. • msr 2630. • msr3600-28/3600-51. • msr3600-28-si/3600-51-si. • msr3610-x1/3610-x1-dp/3610-x1...
Page 696
673 parameters session: displays ssh server session information. Status: displays the ssh server status. Slot slot-number: specifies a card by its slot number. If you do not specify a card, this command displays ssh server session information for the active mpu. (distributed devices in standalone mo...
Page 697
674 table 100 command output field description userpid user process id. Sessid session id. Ver protocol version of the ssh server. Encrypt encryption algorithm used on the ssh server. State session state: • init—initialization. • ver-exchange—version negotiation. • keys-exchange—key exchange. • auth...
Page 699
676 related commands display ssh server sftp server enable use sftp server enable to enable the sftp server. Use undo sftp server enable to disable the sftp server. Syntax sftp server enable undo sftp server enable default the sftp server is disabled. Views system view predefined user roles network-...
Page 700
677 usage guidelines if an sftp connection is idle when the idle timeout timer expires, the system automatically terminates the connection. To promptly release connection resources, set the idle timeout timer to a small value when many sftp connections concurrently exist. Examples # set the idle tim...
Page 701
678 the ssh redirect server can provide the ssh redirect service after ssh redirect is enabled and an ssh redirect listening port is configured. The ssh client can use the ssh2 ip address port number command to access the destination device. The ip address argument and the port number argument speci...
Page 702
679 system-view [sysname] line tty 1 [sysname-line-tty1] ssh redirect disconnect related commands ssh redirect enable ssh redirect enable use ssh redirect enable to enable ssh redirect for a user line. Use undo ssh redirect enable to disable ssh redirect for a user line. Syntax ssh redirect enable u...
Page 703
680 examples # enable ssh redirect on tty line 7. System-view [sysname] line tty 7 [sysname-line-tty7] ssh redirect enable related commands ssh redirect listen-port ssh redirect disconnect ssh redirect listen-port use ssh redirect listen-port to set a listening port of ssh redirect. Use undo ssh red...
Page 704
681 examples # set the ssh redirect listening port number to 5000 on tty line 1. System-view [sysname] line tty 1 [sysname-line-tty1] ssh redirect listen-port 5000 related commands ssh redirect enable ssh redirect timeout use ssh redirect timeout to set the idle-timeout timer for the redirected ssh ...
Page 705
682 examples # set the idle-timeout timer to 200 seconds for the redirected ssh connection. System-view [sysname] line tty 1 [sysname-line-tty1] ssh redirect timeout 200 related commands ssh redirect enable ssh server acl use ssh server acl to specify an acl to control ipv4 ssh connections. Use undo...
Page 706
683 related commands display ssh server ssh server authentication-retries use ssh server authentication-retries to set the maximum number of authentication attempts for ssh users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries retries undo...
Page 707
684 syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout default the ssh user authentication timeout timer is 60 seconds. Views system view predefined user roles network-admin parameters time-out-value: specifies an authentication timeout timer in the range ...
Page 708
685 examples # enable the ssh server to support ssh1 clients. System-view [sysname] ssh server compatible-ssh1x enable related commands display ssh server ssh server dscp use ssh server dscp to set the dscp value in the ipv4 ssh packets that the ssh server sends to ssh clients. Use undo ssh server d...
Page 709
686 views system view predefined user roles network-admin examples # enable the stelnet server. System-view [sysname] ssh server enable related commands display ssh server ssh server ipv6 acl use ssh server ipv6 acl to specify an acl to control ipv6 ssh connections to the server. Use undo ssh server...
Page 710
687 system-view [sysname] acl ipv6 basic 2001 [sysname-acl6-ipv6-basic-2001] rule permit source 1::1 64 [sysname-acl6-ipv6-basic-2001] quit [sysname] ssh server ipv6 acl ipv6 2001 related commands display ssh server ssh server ipv6 dscp use ssh server ipv6 dscp to set the dscp value in the ipv6 ssh ...
Page 711
688 views system view predefined user roles network-admin parameters port-number: specifies a port number in the range of 1 to 65535. Usage guidelines if you modify the ssh port number when the ssh service is enabled, the ssh service is restarted and all ssh connections are terminated after the modi...
Page 712
689 usage guidelines periodically updating the rsa server key pair prevents malicious hacking to the key pair and enhances security of the ssh connections. This command takes effect only on ssh1 clients. The system starts to count down the configured minimum update interval after the first ssh1 user...
Page 713
690 service-type: specifies a service type for the ssh user. • all: specifies service types stelnet, sftp, scp, and netconf. • scp: specifies the service type scp. • sftp: specifies the service type sftp. • stelnet: specifies the service type stelnet. • netconf: specifies the service type netconf. A...
Page 714
691 you do not need to create an ssh user by using the ssh user command. However, if you want to display all ssh users, including the password-only ssh users, for centralized management, you can use this command to create them. If such an ssh user has been created, make sure you have specified the c...
Page 715
692 ssh client commands bye use bye to terminate the connection with the sftp server and return to user view. Syntax bye views sftp client view predefined user roles network-admin usage guidelines this command has the same function as the exit and quit commands. Examples # terminate the connection w...
Page 716
693 cdup use cdup to return to the upper-level directory. Syntax cdup views sftp client view predefined user roles network-admin example # return to the upper-level directory from the current working directory /test1. Sftp> cd test1 current directory is:/test1 sftp> pwd remote working directory: /te...
Page 718
695 predefined user roles network-admin network-operator examples # display the source ip address configured for the sftp client. Display sftp client source the source ip address of the sftp client is 192.168.0.1 the source ipv6 address of the sftp client is 2:2::2:2. Related commands sftp client ip...
Page 719
696 usage guidelines this command has the same function as the bye and quit commands. Examples # terminate the sftp connection. Sftp> exit get use get to download a file from the sftp server and save it locally. Syntax get remote-file [ local-file ] views sftp client view predefined user roles netwo...
Page 721
698 examples # display detailed information about the files and subdirectories under the current directory, including the files and subdirectories with names starting with dots (.). Sftp> ls -a drwxrwxrwx 2 1 1 512 dec 18 14:12 . Drwxrwxrwx 2 1 1 512 dec 18 14:12 .. -rwxrwxrwx 1 1 1 301 dec 18 14:11...
Page 722
699 parameters local-file: specifies the name of a local file. Remote-file: specifies the name of a file on an sftp server. If you do not specify this argument, the file will be remotely saved with the same name as the local file. Examples # upload the local file startup.Bak to the sftp server and s...
Page 723
700 remove use remove to delete a file from the sftp server. Syntax remove remote-file views sftp client view predefined user roles network-admin parameters remote-file: specifies a file by its name. Usage guidelines this command has the same function as the delete command. Examples # delete the fil...
Page 724
701 syntax rmdir remote-path views sftp client view predefined user roles network-admin parameters remote-path: specifies a directory. Examples # delete the subdirectory temp1 under the current directory on the sftp server. Sftp> rmdir temp1 scp use scp to establish a connection to an ipv4 scp serve...
Page 725
702 destination-file-name: specifies the name of the target file. If you do not specify this argument, the target file uses the same file name as the source file. Identity-key: specifies a public key algorithm for the client. The default is dsa in non-fips mode and is rsa in fips mode. If the server...
Page 726
703 interface interface-type interface-number: specifies a source interface by its type and number. The ipv4 address of this interface is the source ipv4 address of the scp packets. Ip ip-address: specifies a source ipv4 address. Examples # connect the scp client to the scp server 200.1.1.1. Specify...
Page 727
704 -i interface-type interface-number: specifies an output interface by its type and number for scp packets. This option is used only when the server uses a link-local address to provide the scp service for the client. The specified output interface on the scp client must have a link-local address....
Page 728
705 publickey keyname: specifies the host public key of the server, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. Source: specifies a source ipv6 address or source interface for ipv6 scp packets. By default, the device automaticall...
Page 729
706 port-number: specifies the port number of the server, in the range of 1 to 65535. The default is 22. Vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the server belongs. The vpn-instance-name argumentis a case-sensitive string of 1 to 31 characters. Identity-key: specif...
Page 730
707 source: specifies a source ipv4 address or source interface for the sftp packets. By default, the device uses the primary ipv4 address of the output interface in the routing entry as the source ipv4 address of sftp packets. As a best practice to ensure successful ipv4 sftp connections, specify a...
Page 731
708 examples # specify 2:2::2:2 as the source ipv6 address for sftp packets. System-view [sysname] sftp client ipv6 source ipv6 2:2::2:2 related commands display sftp client source sftp client source use sftp client source to configure the source ipv4 address for sftp packets. Use undo sftp client s...
Page 733
710 prefer-ctos-hmac: specifies the preferred client-to-server hmac algorithm. The default is sha1. Algorithms sha1 and sha1-96 provide stronger security but cost more computation time than algorithms md5 and md5-96. • md5: specifies the hmac algorithm hmac-md5. • md5-96: specifies the hmac algorith...
Page 735
712 default the source ipv4 address for ssh packets is not configured. The stelnet client uses the primary ipv4 address of the output interface in the routing entry as the source address of the ssh packets. Views system view predefined user roles network-admin parameters interface interface-type int...
Page 736
713 predefined user roles network-admin parameters server: specifies a server by its ipv4 address or host name, a case-insensitive string of 1 to 253 characters. Port-number: specifies the port number of the server, in the range 1 to 65535. The default is 22. Vpn-instance vpn-instance-name: specifie...
Page 737
714 dscp dscp-value: specifies the dscp value in the ipv4 ssh packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The dscp value determines the transmission priority of the packet. Escape character: specifies a case-sensitive escape character. By default, th...
Page 739
716 • sha1-96: specifies the hmac algorithm hmac-sha1-96. Prefer-kex: specifies the preferred key exchange algorithm. The default is dh-group-exchange-sha1 in non-fips mode and dh-group14-sha1 in fips mode. • dh-group-exchange-sha1: specifies the key exchange algorithm diffie-hellman-group-exchange-...
Page 740
717 ssh2 ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey escape $ ssh2 commands display ssh2 algorithm use display ssh2 algorithm to display algorithms used by ssh2 in the algorithm negotiation...
Page 745: Ssl Commands
722 ssl commands the device supports the fips mode that complies with nist fips 140-2 requirements. Support for features, commands, and parameters might differ in fips mode and non-fips mode. For more information about fips mode, see security configuration guide. The following matrix shows the featu...
Page 747
724 usage guidelines ssl employs the following algorithms: • data encryption algorithms—encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as des_cbc, 3des_ede_cbc, aes_cbc, and rc4. When using a symmetric key algorithm, the ssl server...
Page 748
725 optional: enables optional ssl client authentication. Usage guidelines ssl uses digital certificates to authenticate communicating parties. For more information about digital certificates, see security configuration guide. Mandatory ssl client authentication—the ssl server requires an ssl client...
Page 749
726 predefined user roles network-admin network-operator parameters policy-name: specifies an ssl client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy name, this command displays information about all ssl client policies. Examples # display infor...
Page 750
727 session cache size: 600 caching timeout: 3600 seconds client-verify: enabled table 105 command output field description caching timeout session cache timeout time in seconds. Client-verify ssl client authentication mode, including: • disabled—ssl client authentication is disabled. • enabled—ssl ...
Page 752
729 rsa_aes_256_cbc_sha: specifies the cipher suite that uses key exchange algorithm rsa, data encryption algorithm 256-bit aes_cbc, and mac algorithm sha. Rsa_des_cbc_sha: specifies the cipher suite that uses key exchange algorithm rsa, data encryption algorithm des_cbc, and mac algorithm sha. Rsa_...
Page 753
730 views ssl client policy view predefined user roles network-admin usage guidelines ssl uses digital certificates to authenticate communicating parties. For more information about digital certificates, see security configuration guide. If you execute the server-verify enable command, an ssl server...
Page 754
731 examples # set the maximum number of cached sessions to 600, and the timeout time for cached sessions to 1800 seconds. System-view [sysname] ssl server-policy policy1 [sysname-ssl-server-policy-policy1] session cachesize 600 timeout 1800 related commands display ssl server-policy ssl client-poli...
Page 755
732 syntax ssl renegotiation disable undo ssl renegotiation disable default ssl session renegotiation is enabled. Views system view predefined user roles network-admin usage guidelines the ssl session renegotiation feature enables the ssl client and server to reuse a previously negotiated ssl sessio...
Page 756
733 system-view [sysname] ssl server-policy policy1 [sysname-ssl-server-policy-policy1] related commands display ssl server-policy ssl version ssl3.0 disable use ssl version ssl3.0 disable to disable ssl 3.0 on the device. Use undo ssl version ssl3.0 disable restore the default. Syntax ssl version s...
Page 757
734 undo version default the ssl protocol version for an ssl client policy is tls 1.0. Views ssl client policy view predefined user roles network-admin parameters ssl3.0: specifies ssl 3.0. Tls1.0: specifies tls 1.0. Usage guidelines if you execute this command multiple times, the most recent config...
Page 758: Ssl Vpn Commands
735 ssl vpn commands the following matrix shows the feature and hardware compatibility: hardware ssl vpn compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/8 10-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 no msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si no ms...
Page 759
736 usage guidelines an ssl vpn username cannot carry isp domain information. After this command is executed, an ssl vpn gateway uses the specified isp domain for authentication, authorization, and accounting of ssl vpn users in the context. Examples # specify isp domain myserver for authentication,...
Page 760
737 default certificate authentication is disabled. Views ssl vpn context view predefined user roles network-admin usage guidelines after you enable certificate authentication, you must also execute the client-verify command in ssl server policy view. The ssl vpn gateway uses the digital certificate...
Page 761
738 usage guidelines a file policy rewrites a file carried in an http response to a file of the type specified by this command. If the specified file type is different from that indicated by the content-type field in the http response, users might not be able to read the file correctly. If you execu...
Page 762
739 default no policy group is specified as the default policy group. Views ssl vpn context view predefined user roles network-admin parameters group-name: specifies the name of a policy group, a case-insensitive string of 1 to 31 characters. The specified policy group must have been created by usin...
Page 763
740 usage guidelines if you execute this command multiple times, the most recent configuration takes effect. Examples # configure a description for shortcut shortcut1. System-view [sysname] sslvpn context ctx1 [sysname-sslvpn-context-ctx1] shortcut shortcut1 [sysname-sslvpn-context-ctx1-shortcut-sho...
Page 764
741 predefined user roles network-admin network-operator parameters sslvpn-ac interface-number: specifies an ssl vpn ac interface by its number in the range of 0 to 4095. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all ssl vpn a...
Page 765
742 field description bandwidth expected bandwidth for the interface. Maximum transmission unit mtu of the interface. Internet protocol processing ip address of the interface. If no ip address is assigned to the interface, this field displays internet protocol processing: disabled, and the interface...
Page 766
743 field description interface abbreviated interface name. Link physical link state of the interface: • up—the link is physically up. • down—the link is physically down. • adm—the interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the und...
Page 767
744 operation state: up aaa domain: domain1 certificate authentication: enabled dynamic password: enabled code verification: enabled default policy group not configured associated ssl vpn gateway: gw1 domain name: 1 associated ssl vpn gateway: gw2 virtual host: abc.Com associated ssl vpn gateway: gw...
Page 768
745 field description code verification whether code verification is enabled for the ssl vpn context. Default policy group default policy group used by the ssl vpn context. Associated ssl vpn gateway ssl vpn gateway associated with the ssl vpn context. Domain name domain name specified for the ssl v...
Page 769
746 predefined user roles network-admin network-operator parameters brief: displays brief ssl vpn gateway information. If you do not specify this keyword, the command displays detailed ssl vpn gateway information. Name gateway-name: specifies an ssl vpn context by its name. An ssl vpn context name i...
Page 770
747 field description down reason causes for the down operation status: • administratively down—the ssl vpn gateway is disabled. To enable the gateway, use the service enable command. • vpn instance not exist—the vpn instance to which the ssl vpn gateway belongs does not exist. • applying ssl server...
Page 771
748 views any view predefined user roles network-admin network-operator parameters group-name: specifies a policy group by its name, a case-insensitive string of 1 to 31 characters. Context context-name: specifies an ssl vpn context by its name. An ssl vpn context name is a case-insensitive string o...
Page 772
749 slot slot-number: specifies an irf member device by its member id. If you do not specify a member device, this command displays tcp port forwarding connection information for all member devices. (centralized devices in irf mode.) examples # (centralized devices in standalone mode.) display tcp p...
Page 774
751 field description conn number of connections in the ssl vpn session. Idle time duration that the ssl vpn session has been idle. Created creation time of the ssl vpn session. User ip address ipv4 or ipv6 address used by the ssl vpn session. # display detailed information about the ssl vpn session...
Page 775
752 table 115 command output field description user ssl vpn username. Context context to which the user belongs. Policy group policy group used by the user. Idle timeout idle timeout time of the ssl vpn session, in seconds. Created at creation time of the ssl vpn session. Lastest most recent time wh...
Page 777
754 parameters ip-address: specifies the destination ip address of the route. It cannot be a multicast, broadcast, or loopback address. Mask: specifies the subnet mask of the destination ip address. Mask-length: specifies the mask length of the destination ip address, an integer in the range of 0 to...
Page 778
755 usage guidelines after you configure a resource link for a port forwarding item, you can click the port forwarding name on the ssl vpn web page to access the resource. If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect. Examples # co...
Page 779
756 syntax file-policy policy-name undo file-policy policy-name default no file policies exist. Views ssl vpn context view predefined user roles network-admin parameters policy-name: specifies a file policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines the ssl vpn gateway u...
Page 780
757 usage guidelines you can specify both an advanced acl and a uri acl for ip access filtering. The ssl vpn gateway uses the following procedure to determine whether to forward an ip access request: 1. Matches the request against rules in the uri acl: if the request matches a permit rule, the gatew...
Page 781
758 usage guidelines you can specify both an advanced acl and a uri acl for ip access filtering. The ssl vpn gateway uses the following procedure to determine whether to forward an ip access request: 1. Matches the request against rules in the uri acl: if the request matches a permit rule, the gatew...
Page 782
759 usage guidelines you can specify both an advanced acl and a uri acl for tcp access filtering. For mobile client users, the ssl vpn gateway uses the following procedure to determine whether to forward a tcp access request: 1. Matches the request against the authorized port forwarding list. If the...
Page 783
760 predefined user roles network-admin parameters uri-acl-name: specifies a uri acl by its name, a case-insensitive string of 1 to 31 characters. The specified uri acl must already exist. Usage guidelines you can specify both an advanced acl and a uri acl for tcp access filtering. For mobile client...
Page 784
761 default a user can access only the web resources in the url list authorized to the user. Views ssl vpn policy group view predefined user roles network-admin parameters ipv6: specifies an ipv6 acl. Do not configure this keyword if you want to specify an ipv4 acl. Acl advanced-acl-number: specifie...
Page 785
762 syntax filter web-access uri-acl uri-acl-name undo filter web-access uri-acl default users can access only the web resources authorized to them through the url list. Views ssl vpn policy group view predefined user roles network-admin parameters uri-acl-name: specifies a uri acl by its name, a ca...
Page 786
763 views ssl vpn context view predefined user roles network-admin parameters all: logs out all users. Session session-id: logs out all users in a session. The session-id argument specifies the session id in the range of 1 to 4294967295. User user-name: logs out a user. The user-name argument specif...
Page 788
765 default the heading of a url list is web. Views url list view predefined user roles network-admin parameters string: specifies a url list heading, a case-insensitive string of 1 to 31 characters. Examples # configure the heading of url list url as urlhead. System-view [sysname] sslvpn context ct...
Page 790
767 interface sslvpn-ac use interface sslvpn-ac to create an ssl vpn ac interface and enter its view, or enter the view of an existing ssl vpn ac interface. Use undo interface sslvpn-ac to delete an ssl vpn ac interface. Syntax interface sslvpn-ac interface-number undo interface sslvpn-ac interface-...
Page 791
768 usage guidelines a remote user uses the ipv4 address and port number configured by this command to access an ssl vpn gateway. For remote users to access the ssl vpn gateway correctly, you must specify an ipv4 address other than the default address (0.0.0.0) or the management address for the gate...
Page 793
770 [sysname-sslvpn-context-ctx1-route-list-rtlist] quit [sysname-sslvpn-context-ctx1] policy-group pg1 [sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel access-route ip-route-list rtlist related commands ip-route-list ip-tunnel address-pool use ip-tunnel address-pool to specify an address po...
Page 795
772 examples # specify ssl vpn ac 100 for ip access. System-view [sysname] sslvpn context ctx [sysname-sslvpn-context-ctx] ip-tunnel interface sslvpn-ac 100 related commands interface sslvpn-ac ip-tunnel keepalive use ip-tunnel keepalive to set the keepalive interval for ip access. Use undo ip-tunne...
Page 796
773 default no wins servers are specified for ip access. Views ssl vpn context view predefined user roles network-admin parameters primary: specifies the primary wins server. Secondary: specifies the secondary wins server. Ip-address: specifies the ipv4 address of the wins server. It cannot be a mul...
Page 797
774 examples # configure the ipv6 address of ssl vpn gateway gw1 as 200::1 and the port number as 8000. System-view [sysname] sslvpn gateway gw1 [sysname-sslvpn-gateway-gw1] ipv6 address 200::1 port 8000 related commands display sslvpn gateway local-port use local-port to configure a port forwarding...
Page 798
775 local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80 the port forwarding instance will be displayed together with the port forwarding item name on the ssl vpn web page. In this example, tcp1 (127.0.0.1:80 -> 192.168.0.213) will be displayed. If you map a tcp service to a...
Page 799
776 examples # enable resource access logging. System-view [sysname] sslvpn context ctx1 [sysname-sslvpn-context-ctx1] log resource-access enable log enable user-log use log enable user-log to enable logging for user online status changes. Use undo log enable user-log to disable logging for user onl...
Page 800
777 parameters filtering: enables resource access log filtering. With this keyword specified, the device generates only one log for accesses of the same user to the same resource in a minute. If this keyword is not specified, the device generates a log for each resource access. Usage guidelines this...
Page 802
779 examples # specify the logo in the file flash:/mylogo.Gif as the logo displayed on ssl vpn webpages. System-view [sysname] sslvpn context ctx1 [sysname-sslvpn-context-ctx1] logo file flash:/mylogo.Gif max-onlines use max-onlines to set the maximum number of concurrent logins for each account. Us...
Page 803
780 predefined user roles network-admin parameters max-number: specifies the maximum number of sessions, in the range of 1 to 1048575 examples # set the maximum number of sessions to 500 for ssl vpn context ctx1. System-view [sysname] sslvpn context ctx1 [sysname-sslvpn-context-ctx1] max-users 500 r...
Page 804
781 related commands sslvpn context mtu use mtu to set the mtu of an ssl vpn ac interface. Use undo mtu to restore the default. Syntax mtu size undo mtu default the mtu is 1500 bytes. Views ssl vpn ac interface view predefined user roles network-admin parameters size: specifies an mtu value in the r...
Page 805
782 usage guidelines during file content rewriting, the new content will replace the old content specified by using the old-content command. If the new content contains spaces, enclose the content in double quotation marks. Examples # specify the new content in rewrite rule rule1 of file policy fp. ...
Page 806
783 related commands new-content policy-group use policy-group to create an ssl vpn policy group and enter its view, or enter the view of an existing ssl vpn policy group. Use undo policy-group to delete a policy group. Syntax policy-group group-name undo policy-group group-name default no ssl vpn p...
Page 807
784 default no port forwarding lists exist. Views ssl vpn context view predefined user roles network-admin parameters port-forward-name: specifies a name for the port forwarding list, a case-insensitive string of 1 to 31 characters. Usage guidelines port forwarding lists provide tcp access services ...
Page 808
785 parameters item-name: specifies a name for the port forwarding item, a case-insensitive string of 1 to 31 characters. Usage guidelines a port forwarding item defines an accessible tcp service provided on an internal server. It contains the following settings: • a port forwarding instance. A port...
Page 809
786 • if you specify the sslvpn-ac keyword without the interface-number argument, this command clears statistics for all existing ssl vpn ac interfaces. • if you specify both the sslvpn-ac keyword and the interface-number argument, this command clears statistics for the specified ssl vpn ac interfac...
Page 810
787 use undo resources port-forward-item to remove a port forwarding item from a port forwarding list. Syntax resources port-forward-item item-name undo resources port-forward-item item-name default a port forwarding list does not contain any port forwarding items. Views port forwarding list view pr...
Page 811
788 parameters shortcut-name: specifies a shortcut by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines you can assign multiple shortcuts to a shortcut list. Examples # assign shortcut list1 to shortcut list shortcut1. System-view [sysname] sslvpn context ctx1 [sysname-sslv...
Page 812
789 resources url-list use resources url-list to specify a url list for an ssl vpn policy group. Use undo resources url-list to remove the configuration. Syntax resources url-list url-list-name undo resources url-list default no url list is specified for an ssl vpn policy group. Views ssl vpn policy...
Page 813
790 views file policy view predefined user roles network-admin parameters rule-name: specifies a rule name, a case-insensitive string of 1 to 31 characters. Usage guidelines you can configure multiple rewrite rules in a file policy. Examples # create a rewrite rule named rule1 and enter its view. Sy...
Page 814
791 table 116 uri field descriptions field description protocol protocol name. Options are: • http. • https. • tcp. • udp. • icmp. • ip. Host domain name or address of a host. • valid host address formats: ipv4 or ipv6 address. For example, 192.168.1.1. Ipv4 or ipv6 address range in the format of st...
Page 815
792 service enable (ssl vpn context view) use service enable to enable an ssl vpn context. Use undo service enable to disable an ssl vpn context. Syntax service enable undo service enable default an ssl vpn context is disabled. Views ssl vpn context view predefined user roles network-admin examples ...
Page 816
793 session-connections use session-connections to set the maximum number of connections allowed per session. Use undo session-connections to restore the default. Syntax session-connections number undo session-connections default a maximum of 64 connections are allowed per session. Views ssl vpn con...
Page 817
794 usage guidelines after you create a shortcut, use the execution command to configure a resource link for it. Users can then click the shortcut name on the ssl vpn web page to access the associated resource. Examples # create a shortcut named shortcut1 and enter its view. System-view [sysname] ss...
Page 818
795 views ssl vpn ac interface view predefined user roles network-admin examples # shut down ssl vpn ac 1000. System-view [sysname] interface sslvpn-ac 1000 [sysname-sslvpn-ac1000] shutdown sms-imc address use sms-imc address to specify an imc server for sms message authentication. Use undo sms-imc ...
Page 819
796 syntax sms-imc enable undo sms-imc enable default imc sms message authentication is disabled. Views ssl vpn context view predefined user roles network-admin usage guidelines before you execute this command, make sure sms message authentication has been configured on the imc server. In ip access ...
Page 820
797 views ssl vpn context view predefined user roles network-admin parameters policy-name: specifies an ssl client policy by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines you can apply only one ssl client policy to an ssl vpn context. For the applied ssl client policy t...
Page 821
798 if you execute this command multiple times, the new configuration overwrites the previous configuration, but does not take effect. For the new configuration to take effect, disable the ssl vpn gateway and then enable the ssl vpn gateway. Examples # apply ssl server policy ca_cert to ssl vpn gate...
Page 822
799 sslvpn gateway use sslvpn gateway to create an ssl vpn gateway and enter its view, or enter the view of an existing ssl vpn gateway. Use undo sslvpn gateway to delete an ssl vpn gateway. Syntax sslvpn gateway gateway-name undo sslvpn gateway gateway-name default no ssl vpn gateways exist. Views ...
Page 823
800 syntax sslvpn ip address-pool pool-name start-ip-address end-ip-address undo sslvpn ip address-pool pool-name default no address pools exist. Views system view predefined user roles network-admin parameters pool-name: specifies a name for the address pool, a case-insensitive string of 1 to 31 ch...
Page 824
801 examples # set the idle timeout timer to 50 minutes for ssl vpn sessions. System-view [sysname] sslvpn context ctx1 [sysname-sslvpn-context-ctx1] timeout idle 50 related commands display sslvpn policy-group title use title to configure a title to be displayed on ssl vpn webpages. Use undo title ...
Page 825
802 predefined user roles network-admin parameters uri-acl-name: specifies a name for the uri acl, a case-insensitive string of 1 to 31 characters. Usage guidelines a uri acl is a set of rules that permit or deny access to resources. You can use uri acls for ip, tcp, and web access filtering of ssl ...
Page 826
803 field description host host name or ip address of the server where the file resides. To specify an ipv6 address, enclose the ipv6 address in brackets. For example, http://[1234::5678]:8080/a.Html. Port port number on which the server listens for resource access requests. If you do not specify a ...
Page 827
804 field description host domain name or ip address of a host. To specify an ipv6 address, enclose the ipv6 address in brackets. For example. Http://[1234::5678]:8080. Port port number. If you do not specify a port number, the default port number of the protocol is used, which is 80 for http and 44...
Page 828
805 default no url lists exist. Views ssl vpn context view predefined user roles network-admin parameters name: specifies a name for the url list, a case-insensitive string of 1 to 31 characters. Examples # create a url list named url1 and enter url list view. System-view [sysname] sslvpn context ct...
Page 829
806 use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance default an ssl vpn context is associated with the public network. Views ssl vpn context view predefined user roles network-admin parameters vpn-instance-name: specifies the name of a vpn instanc...
Page 830
807 usage guidelines the vpn instance specified for an ssl vpn gateway is called a front vpn instance. You can specify only one vpn instance for an ssl vpn gateway. You can specify a nonexistent vpn instance for an ssl vpn gateway. The ssl vpn gateway does not take effect until the vpn instance is c...
Page 831: Aspf Commands
808 aspf commands ipv6-related parameters are not supported on the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr3600-28-si/3600-51-si. Commands and descriptions for centralized devices apply to the following routers: • msr810/810-...
Page 832
809 you can apply an aspf policy to both the inbound and outbound directions of an interface. Examples # apply aspf policy 1 to the outbound direction of gigabitethernet 1/0/1. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] aspf apply policy 1 outbound related c...
Page 833
810 [sysname-zone-pair-security-trust-untrust] aspf apply policy 1 related commands aspf policy display aspf all zone-pair security (fundamentals command reference) aspf icmp-error reply use aspf icmp-error reply to enable the device to send icmp error messages for packet dropping by security polici...
Page 834
811 views system view predefined user roles network-admin parameters aspf-policy-number: assigns a number to the aspf policy. The value range for this argument is 1 to 256. Examples # create aspf policy 1 and enter its view. System-view [sysname] aspf policy 1 [sysname-aspf-policy-1] related command...
Page 835
812 rsh: specifies remote shell (rsh), an application layer protocol. Rtsp: specifies real time streaming protocol (rtsp), an application layer protocol. Sccp: specifies skinny client control protocol (sccp), an application layer protocol. Sip: specifies session initiation protocol (sip), an applica...
Page 836
813 display aspf all use display aspf all to display the configuration of all aspf policies and their applications. Syntax display aspf all views any view predefined user roles network-admin network-operator examples # display the configuration of all aspf policies and their applications. Display as...
Page 837
814 related commands aspf apply policy aspf policy display aspf policy display aspf interface use display aspf interface to display aspf policy application on interfaces. Syntax display aspf interface views any view predefined user roles network-admin network-operator examples # display aspf policy ...
Page 838
815 network-operator parameters aspf-policy-number: specifies the number of an aspf policy. The value range for this argument is 1 to 256. Default: specifies the predefined aspf policy. Examples # display the configuration of aspf policy 1. Display aspf policy 1 aspf policy configuration: policy num...
Page 839
816 predefined user roles network-admin network-operator parameters ipv4: displays ipv4 aspf sessions. Ipv6: displays ipv6 aspf sessions. Slot slot-number: specifies a card by its slot number. If you do not specify a card, this command displays aspf sessions on all cards. (distributed devices in sta...
Page 840
817 source ip/port: 192.168.1.18/1877 destination ip/port: 192.168.1.55/22 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: tcp(6) inbound interface: gigabitethernet1/1/0/1 source security zone: srczone initiator: source ip/port: 192.168.1.18/1792 destination ip/port: 192.168.1...
Page 841
818 responder: source ip/port: 192.168.1.55/22 destination ip/port: 192.168.1.18/1877 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: tcp(6) inbound interface: gigabitethernet1/0/2 source security zone: destzone state: tcp_syn_sent application: ssh start time: 2011-07-29 19:12...
Page 842
819 source security zone: srczone responder: source ip/port: 192.168.1.55/22 destination ip/port: 192.168.1.18/1877 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: tcp(6) inbound interface: gigabitethernet1/1/0/2 source security zone: destzone state: tcp_syn_sent application: ...
Page 843
820 source security zone: srczone responder: source ip/port: 192.168.1.55/22 destination ip/port: 192.168.1.18/1877 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: tcp(6) inbound interface: gigabitethernet1/1/0/2 source security zone: destzone state: tcp_syn_sent application: ...
Page 844
821 field description vpn-instance/vlan id/inline id • vpn-instance—mpls l3vpn instance where the session is initiated. • vlan id—vlan to which the session belongs during layer 2 forwarding. • inline id—inline to which the session belongs during layer 2 forwarding. If no vpn instance, vlan id, or in...
Page 845
822 examples # enable icmp error message check for aspf policy 1. System-view [sysname] aspf policy 1 [sysname-aspf-policy-1] icmp-error drop related commands aspf policy display aspf policy reset aspf session use reset aspf session to clear aspf session statistics. Syntax centralized devices in sta...
Page 846
823 tcp syn-check use tcp syn-check to enable tcp syn check. Use undo tcp syn-check to disable tcp syn check. Syntax tcp syn-check undo tcp syn-check default tcp syn check is disabled. Views aspf policy view predefined user roles network-admin usage guidelines tcp syn check checks the first packet t...
Page 847: Apr Commands
824 apr commands ipv6-related parameters are not supported on the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr3600-28-si/3600-51-si. Commands and descriptions for centralized devices apply to the following routers: • msr810/810-w...
Page 848
825 system-view [sysname] app-group aaa [sysname-app-group-aaa] related commands copy app-group description include application application statistics enable use application statistics enable to enable the application statistics feature on the specified direction of an interface. Use undo applicatio...
Page 849
826 system-view [sysname] interface gigabitethernet 1/0/2 [sysname-gigabitethernet1/0/2] application statistics enable outbound # enable application statistics in the inbound and outbound directions of gigabitethernet 1/0/3. System-view [sysname] interface gigabitethernet 1/0/3 [sysname-gigabitether...
Page 850
827 if you execute this command multiple times, the most recent configuration takes effect. Examples # set the maximum detected length to 100000 bytes for nbar rule abcd. System-view [sysname] nbar application abcd protocol http [sysname-nbar-application-abcd] apr set detectlen 100000 related comman...
Page 851
828 examples # enable automatic update for the apr signature database and enter auto-update configuration view. System-view [sysname] apr signature auto-update [sysname-apr-autoupdate] related commands override-current update schedule apr signature auto-update-now use apr signature auto-update-now t...
Page 853
830 syntax apr signature update [ override-current ] file-path views system view predefined user roles network-admin parameters override-current: overwrites the old apr signature file. If you do not specify this keyword, the old apr signature file will be saved as a backup signature file on the devi...
Page 854
831 update scenario format of file-path remarks the update file is stored in a different directory on the same storage medium. Path/filename n/a the update file is stored on a different storage medium. Path/filename before updating the signature database, you must first use the cd command to open th...
Page 855
832 system-view [sysname] apr signature update ftp://user%3a123:user%40abc%2f123@192.168.0.10/apr-1.0.2-en.Dat # manually update the apr signature database by using an apr signature file stored on the device, the file is stored in directory cfa0:/apr-1.0.23-en.Dat. In this example, the working direc...
Page 856
833 description (application group view) use description to configure a description for an application group. Use undo description to restore the default. Syntax description text undo description default an application group is described as "user-defined application group". Views application group v...
Page 857
834 parameters text: specifies a description, a case-sensitive string of 1 to 127 characters. Usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm -hk/810-w-lm-hk yes msr810-lms/810-...
Page 858
835 parameters ip ipv4-address: specifies a destination ipv4 address or ipv4 subnet, in dotted decimal notation. Mask-length:specifies the mask length for ipv4 addresses, in the range of 0 to 32. Ipv6 ipv6-address: specifies a destination ipv6 address or ipv6 subnet. Prefix-length: specifies the pre...
Page 859
836 views nbar rule view predefined user roles network-admin parameters to-client:specifies the direction from server to client. To-server: specifies the direction from client to server. Usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibilit...
Page 860
837 views nbar rule view predefined user roles network-admin usage guidelines the following matrix shows the command and hardware compatibility: hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm -hk/810-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630...
Page 861
838 parameters name group-name: specifies an application group by its name. The group-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. If you do not specify any parameters, this command displays information about all application groups. E...
Page 862
839 field description pre-defined app-group count number of predefined application groups in the application group. This field is not supported in the current software version. Include pre-defined app-group list list of predefined application groups. This field is not supported in the current softwa...
Page 863
840 12530wap_application_we pre-defined 0x000003ac no no 0 b_http 12580_application_http pre-defined 0x00000312 no no 0 126_web_email_download_ pre-defined 0x000002b7 no no 0 http 126_web_email_login_htt pre-defined 0x000002b3 no no 0 p 126_web_email_read_emai pre-defined 0x000002b4 no no 0 l_http 1...
Page 864
841 126_web_email_send_emai pre-defined 0x000002b5 no no 0 l_http 126_web_email_upload_ht pre-defined 0x000002b8 no no 0 tp 139_mobile_weibo_commen pre-defined 0x000001da no no 0 t_http 139_mobile_weibo_login_ pre-defined 0x000001d9 no no 0 http 139_mobile_weibo_login_ pre-defined 0x00000444 no no 0...
Page 865
842 field description type application protocol type: • pre-defined. • user-defined. App id/application id id of the application protocol. Tunnel whether or not the protocol is a tunnel protocol: • yes. • no. Encrypted whether or not the protocol is a cryptographic protocol: • yes. • no. Detectlen l...
Page 866
843 slot slot-number: specifies a card by its slot number. This option is available only for global interfaces, such as vlan and tunnel interface. (distributed devices in standalone mode.) slot slot-number: specifies an irf member by its member id. This option is available only for global interfaces...
Page 867
844 application in/out packets bytes pps bps appaaaaasg in 190023111111111111 252334402111111111 2342222222 3411222222 out 170034 270011351 3211 451134 app2 in 2195 18560000 300 654222 out 21986666666 655555555123123101 55551 5454125111 app3 in 2195 17560000 300 45161 out 21986666666 555555555123123...
Page 868
845 field description bytes number of bytes received or sent by the interface. Pps packets received or sent per second. Bps bytes received or sent per second. Related commands app-group application statistics enable display application statistics top use display application statistics top to display...
Page 869
846 argument represents the slot number of the card. This option is available only for global interfaces, such as vlan and tunnel interface. (distributed devices in irf mode.) usage guidelines this command displays application statistics only after the application statistics feature is enabled on th...
Page 870
847 # display the top three application protocols that have received and sent the most bytes per second on gigabitethernet 1/0/1. Display application statistics top 3 bps interface gigabitethernet 1/0/1 interface : gigabitethernet1/0/1 application in/out packets bytes pps bps appaaaaasg in 190023111...
Page 871
848 hardware command compatibility msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si no msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620-dp/3640/3660 yes msr5620/5660/5680 yes examples # display apr signature database informatio...
Page 872
849 application protocol port tacacs-ds tcp 65 udp 65 net-bios-dgm tcp 137, 138, 139 udp 137, 138, 139 ftp tcp 21 tftp udp 69 table 128 command output field description application application protocol using the port mapping. Protocol transport layer protocol. Port port number of the application pro...
Page 873
850 ftp 21 udp ipv4 subnet 10.10.10.1/24 ftp 21 sctp ipv6 host 2000:fdb8::1:00ab:853c:39ab http 899 tcp ipv4 acl 2002 http 999 sctp ipv6 acl 2002 table 129 command output field description application application protocol using port mapping. Port port number to which the application protocol is mapp...
Page 874
851 predefined user roles network-admin parameters application-name: specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. Usage guidelines execute this command multiple times to add multiple predefined or user-de...
Page 875
852 http: specifies http packets to which the nbar rule is applied. Tcp: specifies tcp packets to which the nbar rule is applied. Udp: specifies udp packets to which the nbar rule is applied. Usage guidelines the following matrix shows the command and hardware compatibility: hardware command compati...
Page 876
853 default if the apr signature database is automatically updated at a regular basis, the current apr signature file is not overwritten for an update operation. Instead, the device will back up the current apr signature file. Views auto-update configuration view predefined user roles network-admin ...
Page 877
854 default an application protocol is mapped to a well-known port. Views system view predefined user roles network-admin parameters application application-name: specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allow...
Page 878
855 default an application protocol is mapped to a well-known port. Views system view predefined user roles network-admin parameters application application-name: specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allow...
Page 880
857 system-view [sysname] port-mapping application ftp port 3456 host ipv6 1::1 related commands display port-mapping user-defined port-mapping subnet use port-mapping subnet to configure a subnet-based host-port mapping. Use undo port-mapping subnet to remove a subnet-based host-port mapping. Synta...
Page 881
858 usage guidelines apr uses subnet-based host-port mappings to recognize packets. A packet is recognized as an application protocol packet when it matches all the following conditions in a mapping: • the packet is destined for the specified ip subnet in the mapping. • the packet's destination port...
Page 883
860 system-view [sysname] nbar application abcd protocol http [sysname-nbar-application-abcd] service-port range 2001 2004 related commands direction signature use signature to configure a signature for a user-defined nbar rule. Use undo signature to cancel the signature configuration. Syntax signat...
Page 884
861 hardware command compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm -hk/810-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si no msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620-dp/3640/3660 ye...
Page 885
862 parameters ip ipv4-address: specifies a source ipv4 address or ipv4 subnet, in dotted decimal notation. Mask-length:specifies the mask length for ipv4 addresses, in the range of 0 to 32. Ipv6 ipv6-address: specifies a source ipv6 address or ipv6 subnet. Prefix-length: specifies the prefix length...
Page 886
863 default the device automatically updates the apr signature database between 02:01:00 to 04:01:00 every day. Views auto-update configuration view predefined user roles network-admin parameters daily: specifies the daily update interval. Weekly: specifies the weekly update interval. You can specif...
Page 887
864 examples # configure the device to automatically update the apr signature database at 23:10:00 every monday with a tolerance time of 10 minutes. System-view [sysname] apr signature auto-update [sysname-apr-autoupdate] update schedule weekly mon start-time 23:10:00 tingle 10 related commands apr ...
Page 888
865 session management commands ipv6-related parameters are not supported on the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr3600-28-si/3600-51-si. Commands and descriptions for centralized devices apply to the following routers:...
Page 889
866 gtp-user 60 h225 3600 h245 3600 https 600 ils 3600 l2tp 120 mgcp-callagent 60 mgcp-gateway 60 netbios-dgm 3600 netbios-ns 3600 netbios-ssn 3600 ntp 120 pptp 3600 qq 120 ras 300 rip 120 rsh 60 rtsp 3600 sccp 3600 sip 300 snmp 120 snmptrap 120 sqlnet 600 stun 600 syslog 120 tacacs-ds 120 tftp 60 w...
Page 890
867 views any view predefined user roles network-admin network-operator examples # display the aging time for sessions in different protocol states. Display session aging-time state state aging time(s) syn 30 tcp-est 3600 fin 30 udp-open 30 udp-ready 60 icmp-request 60 icmp-reply 30 rawip-open 30 ra...
Page 892
869 protocol: tcp(6) ttl: 1234s app: ftp-data source ip/port: -/- destination ip/port: 192.168.2.200/1212 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: tcp(6) ttl: 3100s app: h225 total entries found: 2 # (centralized devices in standalone mode.) display all ipv6 relation en...
Page 894
871 argument represents the slot number of the card. If you do not specify a card, this command displays ipv4 unicast session statistics for all cards. (distributed devices in irf mode.) examples # display statistics for unicast sessions from ip address 111.15.111.66. Display session statistics ipv4...
Page 896
873 slot 1: current sessions: 3 tcp sessions: 0 udp sessions: 0 icmp sessions: 3 icmpv6 sessions: 0 udp-lite sessions: 0 sctp sessions: 0 dccp sessions: 0 rawip sessions: 0 # display statistics for ipv6 unicast tcp sessions. Display session statistics ipv6 protocol tcp slot 1: current sessions: 3 tc...
Page 897
874 syntax centralized devices in standalone mode: display session statistics [ summary ] distributed devices in standalone mode/centralized devices in irf mode: display session statistics [ summary ] [ slot slot-number ] distributed devices in irf mode: display session statistics [ summary ] [ chas...
Page 898
875 past 30 days: 0/s current relation-table entries: 0 session establishment rate: 0/s tcp: 0/s udp: 0/s icmp: 0/s icmpv6: 0/s udp-lite: 0/s sctp: 0/s dccp: 0/s rawip: 0/s received tcp : 0 packets 0 bytes received udp : 118 packets 13568 bytes received icmp : 105 packets 8652 bytes received icmpv6 ...
Page 899
876 field description past 30 days the average number of sessions per second in the most recent 30 days. History average session establishment rate history statistics of average session establishment rates. Past hour the average session establishment rate in the most recent hour. Past 24 hours the a...
Page 900
877 field description sessions total number of unicast sessions. Tcp number of tcp unicast sessions. Udp number of udp unicast sessions. Rate rate of unicast session creation. Tcp rate rate of tcp unicast session creation. Udp rate rate of udp unicast session creation. Display session statistics mul...
Page 901
878 # (distributed devices in standalone mode/centralized devices in irf mode.) display information about multicast session statistics. Display session statistics multicast slot 0: current sessions: 0 session establishment rate: 0/s received: 0 packets 0 bytes sent : 0 packets 0 bytes slot 2: curren...
Page 903
880 verbose: displays detailed information about ipv4 unicast session entries. If you do not specify this keyword, the command displays brief information about ipv4 unicast session entries. Usage guidelines if you do not specify any parameters, this command displays all ipv4 unicast session entries....
Page 904
881 source security zone: trust total sessions found: 2 # (centralized devices in standalone mode.) display detailed information about all ipv4 unicast session entries. Display session table ipv4 verbose slot 0: initiator: source ip/port: 192.168.1.18/1877 destination ip/port: 192.168.1.55/22 ds-lit...
Page 905
882 initiator->responder: 1 packets 60 bytes responder->initiator: 0 packets 0 bytes total sessions found: 2 # (distributed devices in standalone mode/centralized devices in irf mode.) display detailed information about all ipv4 unicast session entries. Display session table ipv4 verbose slot 1: ini...
Page 906
883 start time: 2011-07-29 19:12:33 ttl: 55s initiator->responder: 1 packets 60 bytes responder->initiator: 0 packets 0 bytes total sessions found: 2 table 138 command output field description initiator information about the unicast session from the initiator to the responder. Responder information ...
Page 908
885 usage guidelines if you do not specify any parameters, this command displays all ipv6 unicast session entries. Examples # (centralized devices in standalone mode.) display brief information about all ipv6 unicast session entries. Display session table ipv6 slot 0: initiator: source ip/port: 2011...
Page 909
886 inbound interface: gigabitethernet1/0/2 source security zone: local state: icmpv6_request application: other start time: 2011-07-29 19:23:41 ttl: 55s initiator->responder: 1 packets 104 bytes responder->initiator: 0 packets 0 bytes total sessions found: 1 # (distributed devices in standalone mod...
Page 910
887 field description vpn instance/vlan id/inline id mpls l3vpn instance to which the unicast session belongs. Vlan and inline to which the unicast session belongs during layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field. Protocol transport layer pr...
Page 912
889 inbound interface: gigabitethernet1/0/1 outbound interface list: gigabitethernet1/0/2 gigabitethernet1/0/3 total sessions found: 3 # (distributed devices in standalone mode/centralized devices in irf mode.) display brief information about all ipv4 multicast session entries. Display session table...
Page 913
890 start time: 2014-03-03 15:59:22 ttl: 18s initiator->responder: 1 packets 84 bytes outbound initiator: source ip/port: 3.3.3.4/1609 destination ip/port: 232.0.0.1/1025 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: udp(17) outbound responder: source ip/port: 232.0.0.1/1025...
Page 914
891 slot 1: total sessions found: 0 slot 2: inbound initiator: source ip/port: 3.3.3.4/1609 destination ip/port: 232.0.0.1/1025 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: udp(17) inbound responder: source ip/port: 232.0.0.1/1025 destination ip/port: 3.3.3.4/1609 ds-lite t...
Page 915
892 outbound responder: source ip/port: 232.0.0.1/1025 destination ip/port: 3.3.3.4/1609 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: udp(17) outbound interface: gigabitethernet1/0/3 destination security zone: bbb state: udp_open application: other start time: 2014-03-03 15...
Page 916
893 field description inbound interface inbound interface of the first packet from the initiator to responder. Outbound interface outbound interface of the first packet from the initiator to responder. Outbound interface list outbound interfaces of the first packet from the initiator to responder. S...
Page 917
894 argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (distributed devices in irf mode.) source-ip start-source-ip [ end-source-ip ]: specifies a source ipv6 address or ipv6 address range for a multicast session from the i...
Page 918
895 inbound initiator: source ip/port: 3::4/1617 destination ip/port: ff0e::1/1025 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: udp(17) inbound interface: gigabitethernet1/0/1 outbound interface list: gigabitethernet1/0/2 gigabitethernet1/0/3 total sessions found: 3 # (cent...
Page 919
896 destination security zone: bbb state: udp_open application: other start time: 2014-03-03 16:10:58 ttl: 23s initiator->responder: 5 packets 520 bytes outbound initiator: source ip/port: 3::4/1617 destination ip/port: ff0e::1/1025 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protoc...
Page 920
897 inbound interface: gigabitethernet1/0/1 source security zone: trust state: udp_open application: other start time: 2014-03-03 16:10:58 ttl: 23s initiator->responder: 5 packets 520 bytes outbound initiator: source ip/port: 3::4/1617 destination ip/port: ff0e::1/1025 ds-lite tunnel peer: - vpn ins...
Page 921
898 display session table multicast ipv6 verbose slot 0 in chassis 1: total sessions found: 0 slot 1 in chassis 1: total sessions found: 0 slot 2 in chassis 1: inbound initiator: source ip/port: 3::4/1617 destination ip/port: ff0e::1/1025 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- ...
Page 922
899 destination ip/port: ff0e::1/1025 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: udp(17) outbound responder: source ip/port: ff0e::1/1025 destination ip/port: 3::4/1617 ds-lite tunnel peer: - vpn instance/vlan id/inline id: -/-/- protocol: udp(17) outbound interface: giga...
Page 923
900 field description application application layer protocol, ftp or dns. If it is an unknown protocol identified by an unknown port, this field displays other. Start time time when the multicast session was created. Ttl remaining lifetime of the multicast session, in seconds. Inbound interface inbo...
Page 924
901 argument represents the slot number of the card. If you do not specify a card, this command clears relation entries for all cards. (distributed devices in irf mode.) usage guidelines if you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ipv4 and ipv6 relation entrie...
Page 925
902 reset session statistics multicast use reset session statistics multicast to clear multicast session statistics. Syntax centralized devices in standalone mode: reset session statistics multicast distributed devices in standalone mode/centralized devices in irf mode: reset session statistics mult...
Page 926
903 predefined user roles network-admin parameters slot slot-number: specifies a card by its slot number. If you do not specify a card, this command clears unicast session entries for all cards. (distributed devices in standalone mode.) slot slot-number: specifies an irf member device by its member ...
Page 927
904 slot slot-number: specifies an irf member device by its member id. If you do not specify a member device, this command clears information for all member devices. (centralized devices in irf mode.) chassis chassis-number slot slot-number: specifies a card on a member device. The chassis-number ar...
Page 929
906 syntax centralized devices in standalone mode: reset session table multicast distributed devices in standalone mode/centralized devices in irf mode: reset session table multicast [ slot slot-number ] distributed devices in irf mode: reset session table multicast [ chassis chassis-number slot slo...
Page 930
907 udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] views user view predefined user roles network-admin parameters slot slot-number: specifies a card by its slot number. If you do not specify a card, this command clears information fo...
Page 932
909 examples # clear all ipv6 multicast session entries. Reset session table multicast ipv6 # clear the ipv6 multicast session entries with the source ip address of 2011::0002. Reset session table multicast ipv6 source-ip 2011::0002 related commands display session table multicast ipv6 session aging...
Page 933
910 • ras sessions: 300 seconds. • rip sessions: 120 seconds. • rsh sessions: 60 seconds. • rtsp sessions: 3600 seconds. • sccp sessions: 3600 seconds. • sip sessions: 300 seconds. • snmp sessions: 120 seconds. • snmptrap sessions: 120 seconds. • sqlnet sessions: 600 seconds. • stun sessions: 600 se...
Page 934
911 nbar application port-mapping port-mapping acl port-mapping host port-mapping subnet session aging-time state session persistent acl session aging-time state use session aging-time state to set the aging time for the sessions in a protocol state. Use undo session aging-time state to restore the ...
Page 935
912 syn: specifies the tcp syn-sent and syn-rcv states. Tcp-close: specifies the tcp close state. Tcp-est: specifies the tcp established state. Tcp-time-wait: specifies the tcp time-wait state. Udp-open: specifies the udp open state. Udp-ready: specifies the udp ready state. Time-value: specifies th...
Page 936
913 if you execute this command multiple times, the most recent configuration takes effect. Examples # configure the device to output session logs on a per-10-mega-packet basis. System-view [sysname] session statistics enable [sysname] session log packets-active 10 related commands session log enabl...
Page 937
914 examples # enable ipv4 session logging in the inbound direction of gigabitethernet 1/0/1. System-view [sysname] session log flow-begin [sysname] session log flow-end [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] session log enable ipv4 inbound # enable session logging ...
Page 938
915 usage guidelines for the device to output a session log when a session entry is created, make sure both session logging and logging for session creation are enabled. Examples # enable logging for session creation. System-view [sysname] session log flow-begin related commands session log enable s...
Page 939
916 views system view predefined user roles network-admin parameters time-value: specifies the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10. Usage guidelines if you set both time-based and traffic-based logging, the device ou...
Page 940
917 for a tcp session in established state, the priority of the aging time is as follows: • aging time for persistent sessions. • aging time for sessions of application layer protocols. • aging time for sessions in different protocol states. A never-age-out session is not removed until the device re...
Page 941
918 session statistics enable use session statistics enable to enable session statistics collection for software fast forwarding. Use undo session statistics enable to disable session statistics collection for software fast forwarding. Syntax session statistics enable undo session statistics enable ...
Page 942: Connection Limit Commands
919 connection limit commands ipv6-related parameters are not supported on the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr3600-28-si/3600-51-si. Commands and descriptions for centralized devices apply to the following routers: •...
Page 943
920 system-view [sysname] connection-limit policy 1 [sysname-connlmt-policy-1] # create ipv6 connection limit policy 12 and enter its view. System-view [sysname] connection-limit ipv6-policy 12 [sysname-connlmt-ipv6-policy-12] related commands connection-limit apply connection-limit apply global dis...
Page 945
922 undo description default a connection limit policy does not have a description. Views ipv4 connection limit policy view ipv6 connection limit policy view predefined user roles network-admin parameters text: specifies a description, a case-sensitive string of 1 to 127 characters. Usage guidelines...
Page 946
923 0 1 src-dst-port 2000 1800 10 3000 12 src-dst 500 45 0 3001 255 -- 1000000 980000 0 2001 1 2 dst-port 800 70 0 3010 3 src-dst 100 90 0 3000 10 src-dst-port 50 45 0 3003 11 src 200 200 0 3004 200 -- 500000 498000 0 2002 28 4 port 1500 1400 0 3100 5 dst 3000 280 0 3101 21 src-dst 200 180 0 3102 25...
Page 947
924 policy description -------------------------------------------------------------------------------- 3 ipv6description3 4 description for ipv6 4 # display information about ipv6 connection limit policy 3. Display connection-limit ipv6-policy 3 ipv6 connection limit policy 3 has been applied 3 tim...
Page 948
925 related commands connection-limit connection-limit apply connection-limit apply global limit display connection-limit ipv6-stat-nodes use display connection-limit ipv6-stat-nodes to display statistics about ipv6 connections that match connection limit rules globally or on an interface. Syntax ce...
Page 949
926 count: displays only the number of limit rule-based statistics sets. Detailed information about the specified ipv6 connections is not displayed. If you do not specify this keyword, the command displays detailed information about the specified ipv6 connections that match connection limit rules. U...
Page 950
927 ds-lite tunnel peer : 9876543210 service : tcp/12345 limit rule id : 12345(acl: 3184) sessions threshold hi/lo: 1000000/90000 sessions count : 150000 sessions limit rate : 0 new session flag : permit # (distributed devices in standalone mode.) display statistics about all ipv6 connections that m...
Page 951
928 sessions threshold hi/lo: 2000/1500 sessions count : 1988 sessions limit rate : 0 new session flag : permit # (centralized devices in standalone mode.) display the number of limit rule-based statistics sets by source ip address 2::1. Display connection-limit ipv6-stat-nodes global source 2::1 co...
Page 952
929 field description new session flag whether or not new connections can be created: • permit—new connections can be created. • deny—new connections cannot be created. Note: when the number of connections reaches the upper limit, this field displays permit although new connections are not allowed. ...
Page 953
930 argument represents the slot number of the card. This option is available only when you specify the global keyword or specify a virtual interface, such as a vlan interface or tunnel interface. (distributed devices in irf mode.) examples # (centralized devices in standalone mode.) display the glo...
Page 955
932 hardware option compatibility msr810/810-w/810-w-db/810-lm/810-lms/810-lus /810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr3610-x1/3610-x1-dp/3610-x1-dc/3610-x1-dp-dc yes msr 3610/3620/3620...
Page 956
933 service : tcp/12345 limit rule id : 12345(acl: 3001) sessions threshold hi/lo: 1100000/980000 sessions count : 1050000 sessions limit rate : 0 new session flag : permit # (centralized devices in standalone mode.) display statistics about all ipv4 connections that match the connection limit rule ...
Page 957
934 ds-lite tunnel peer : -- service : icmp/0 limit rule id : 7(acl: 3102) sessions threshold hi/lo: 4000/3800 sessions count : 1001 sessions limit rate : 0 new session flag : permit # (distributed devices in irf mode.) display statistics about ipv4 connections that match the connection limit rule o...
Page 958
935 field description vpn instance mpls l3vpn instance to which the ip address belongs. Two hyphens (--) indicates that the ip address is on the public network. Ds-lite tunnel peer peer ip address of the ds-lite tunnel. Two hyphens (--) indicates that the connection does not belong to a ds-lite tunn...
Page 959
936 views ipv4 connection limit policy view ipv6 connection limit policy view predefined user roles network-admin parameters limit-id: specifies a connection limit rule by its id. The value range for this argument is 1 to 256. Acl: specifies the acl that matches the user range. Only the user connect...
Page 960
937 description text: specifies a description for the connection limit rule, a case-sensitive string of 1 to 127 characters. By default, a connection limit rule does not have a description. Usage guidelines each connection limit policy can define multiple rules. Each rule must specify the used acl, ...
Page 961
938 [sysname-connlmt-ipv6-policy-12] limit 2 acl ipv6 2001 per-destination amount 200 100 rate 10 6. Verify that when the connection number exceeds 200, new connections cannot be established until the connection number goes below 100. (details not shown.) related commands connection-limit display co...
Page 962
939 # (centralized devices in standalone mode.) clear the connection limit statistics on vlan-interface 2. Reset connection-limit statistics interface vlan-interface 2 # (distributed devices in standalone mode.) clear the global connection limit statistics on the card in slot 2. Reset connection-lim...
Page 963: Object Group Commands
940 object group commands the following matrix shows the feature and hardware compatibility: hardware object group compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810- 10-poe/810-lm-hk/810-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-...
Page 965
942 10 port range 20 30 20 port group-object obj7 service object-group obj5: 0 object(in use) service object-group obj6: 6 objects(out of use) 0 service 200 10 service tcp source lt 50 destination range 30 40 20 service udp source range 30 40 destination gt 30 30 service icmp 20 20 40 service icmpv6...
Page 967
944 • the system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group. Examples # configure an ipv4 address object with the host address of...
Page 968
945 predefined user roles network-admin parameters object-id: specifies an object id in the range of 0 to 4294967294. If you do not configure an object id, the system automatically assigns the object a multiple of 10 next to the greatest id being used. For example, if the greatest id is 22, the syst...
Page 969
946 # configure an ipv6 address object with the ipv6 address of 1:1:1::1 and prefix length of 24. System-view [sysname] object-group ipv6 address ipv6group [sysname-obj-grp-ipv6-ipv6group] network subnet 1:1:1::1 24 # configure an ipv6 address object with the address range of 1:1:1::1 to 1:1:1::100 ...
Page 970
947 hardware command compatibility msr 3610/3620/3620-dp/3640/3660 yes msr5620/5660/5680 no you can execute this command multiple times to exclude multiple ipv4 or ipv6 addresses from an address object. Examples # configure an ipv4 address object with the ipv4 address of 192.166.0.0 and mask of 255....
Page 971
948 • if the specified group does not exist, the system creates a new object group and enters the object group view. • if the specified group exists but the group type is different from that in the command, the command fails. The undo object-group command execution results vary with the specified ob...
Page 973
950 • if the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0, port–1]. When you use the gt port option, follow these guidelines: • the value of port cannot be 65535. • if the value of port is 65534, the system configures the object with a ...
Page 975
952 when you use the lt port option, follow these guidelines: • the value of port cannot be 0. • if the value of port is 1, the system configures the object with a port number of 0. • if the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0,...
Page 976: Object Policy Commands
953 object policy commands the following matrix shows the feature and hardware compatibility: hardware object group compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810- 10-poe/810-lm-hk/810-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600...
Page 977
954 default rule matching acceleration is disabled for an object policy. Views object policy view predefined user roles network-admin usage guidelines insufficient hardware resources cause acceleration failures. When the system has sufficient hardware resources, acceleration can take effect again un...
Page 978
955 examples # configure the description as zone-pair security office to library for an ipv4 address object policy. System-view [sysname] object-policy ip permit [sysname-object-policy-ip-permit] description zone-pair security office to library related commands display object-policy ip display objec...
Page 979
956 object-policy ip a object-policy ip c # display detailed acceleration information for ipv4 object policy a. Display object-policy accelerate verbose ip a object-policy ip a rule 1 drop rule 0 pass (failed) table 147 command output field description failed rule matching acceleration and rule matc...
Page 980
957 field description object-policy accelerated rule matching acceleration is enabled for the ipv4 object policy. Rule 5 pass source-ip sourceip statement of rule 5. The value of sourceip is the name of the source ipv4 address object group. Rule 5 comment this rule is used for source-ip sourceip des...
Page 981
958 field description rule 5 comment this rule is used for source-ip sourceipv6 description of rule 5. Display object-policy statistics zone-pair security use display object-policy statistics zone-pair security to display statistics for the object policies applied to a zone pair. Syntax display obje...
Page 982
959 field description x packets,y bytes the rule has matched x packets, a total of y bytes. This field is displayed only when the following conditions exist: • the counting or logging keyword is specified in the rule command. • the rule has been matched. Related commands reset object-policy statisti...
Page 983
960 move rule use move rule to change the rule match order of a rule in an object policy. Syntax move rule rule-id before insert-rule-id views object policy view predefined user roles network-admin parameters rule-id: specifies a rule by its id in the range of 0 to 65534. Insert-rule-id: specifies t...
Page 984
961 predefined user roles network-admin parameters object-policy-name: specifies an ipv4 object policy by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines if the specified object policy does not exist, this command fails. You can apply only one ipv4 object policy to each z...
Page 985
962 examples # configure an ipv6 object policy and apply it to a zone pair. System-view [sysname] object-policy ipv6 permit [sysname-object-policy-ipv6-permit] quit [sysname] zone-pair security source office destination library [sysname-zone-pair-security-office-library] object-policy apply ipv6 per...
Page 986
963 object-policy ipv6 use object-policy ipv6 to configure an ipv6 object policy and enter its view, or enter the view of an existing ipv6 object policy. Use undo object-policy ipv6 to delete an ipv6 object policy. Syntax object-policy ipv6 object-policy-name undo object-policy ipv6 object-policy-na...
Page 987
964 parameters source source-zone-name: specifies the source security zone name, a case-insensitive string of 1 to 31 characters. Destination destination-zone-name: specifies the destination security zone name, a case-insensitive string of 1 to 31 characters. Ip: clears statistics for ipv4 object po...
Page 988
965 inspect app-profile-name: applies a dpi application profile to the packets that match the rule. The app-profile-name argument represents the dpi profile name, a case-insensitive string of 1 to 100 characters. The string can contain only letters, digits, and underscores (_). The following matrix ...
Page 989
966 if you specify a nonexistent object group in a rule, the command creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets. If you do not specify any options in the undo rule command, the command deletes ...
Page 990
967 default no rules are configured for an ipv6 object policy. Views ipv6 object policy view predefined user roles network-admin parameters rule-id: specifies a rule id in the range of 0 to 65534. If you do not specify an id for the rule, the system automatically assigns the rule an integer next to ...
Page 991
968 app-group app-group-name: specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The invalid and other application groups are not supported. Counting: enables match counting for the rule in an ipv6 object policy. By default, rule match counting is disabled. ...
Page 993
970 [sysname-object-policy-ip-permit] rule 1 append source-ip sourceip2 [sysname-object-policy-ip-permit] rule 1 append source-ip sourceip3 related commands app-group display object-policy ip display object-policy ipv6 nbar application object-group object-policy ip object-policy ipv6 rule (ipv4 obje...
Page 994
971 display object-policy ipv6.
Page 995: Commands
972 attack detection and prevention commands commands and descriptions for centralized devices apply to the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr2600-10-x1. • msr 2630. • msr3600-28/3600-51. • msr3600-28-si/3600-51-si. • m...
Page 996
973 examples # specify drop as the global action against ack flood attacks in the attack defense policy atk-policy-1. System-view [sysname] attack-defense policy atk-policy-1 [sysname-attack-defense-policy-atk-policy-1] ack-flood action drop related commands ack-flood threshold ack-flood detect ack-...
Page 997
974 usage guidelines with ack flood attack detection configured for an ip address, the device is in attack detection state. When the sending rate of ack packets to the ip address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the sil...
Page 998
975 ack-flood threshold use ack-flood threshold to set the global threshold for triggering ack flood attack prevention. Use undo ack-flood threshold to restore the default. Syntax ack-flood threshold threshold-value undo ack-flood threshold default the global threshold is 1000 for triggering ack flo...
Page 999
976 default no attack defense policy is applied to an interface. Views interface view predefined user roles network-admin parameters policy-name: specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and...
Page 1000
977 usage guidelines an attack defense policy applied to the device itself detects packets destined for the device and prevents attacks targeted at the device. Applying an attack defense policy to the device can improve the efficiency of processing attack packets destined for the device. Each device...
Page 1001
978 [sysname] attack-defense login reauthentication-delay 5 attack-defense policy use attack-defense policy to create an attack defense policy and enter its view, or enter the view of an existing attack defense policy. Use undo attack-defense policy to delete an attack defense policy. Syntax attack-...
Page 1002
979 predefined user roles network-admin usage guidelines log aggregation aggregates all logs generated during a period of time and sends one log. The logs with the same attributes for the following items can be aggregated: • interface where the attack is detected. • attack type. • attack prevention ...
Page 1003
980 related commands display attack-defense top-attack-statistics blacklist enable use blacklist enable to enable the blacklist feature on an interface. Use undo blacklist enable to disable the blacklist feature on an interface. Syntax blacklist enable undo blacklist enable default the blacklist fea...
Page 1004
981 predefined user roles network-admin usage guidelines if you enable the global blacklist feature, the blacklist feature is enabled on all interfaces. Examples # enable the global blacklist feature. System-view [sysname] blacklist global enable related commands blacklist enable blacklist ip blackl...
Page 1005
982 examples # add a blacklist entry for the ip address 192.168.1.2 and set the aging time to 20 minutes for the entry. System-view [sysname] blacklist ip 192.168.1.2 timeout 20 related commands blacklist enable blacklist global enable display blacklist ip blacklist ipv6 use blacklist ipv6 to add an...
Page 1006
983 blacklist global enable blacklist ip blacklist logging enable use blacklist logging enable to enable logging for the blacklist feature. Use undo blacklist logging enable to disable logging for the blacklist feature. Syntax blacklist logging enable undo blacklist logging enable default logging is...
Page 1007
984 related commands blacklist ip blacklist ipv6 blacklist object-group use blacklist object-group to add an address object group to the blacklist. Use undo blacklist object-group to restore the default. Syntax blacklist object-group object-group-name undo blacklist object-group default no address o...
Page 1008
985 client-verify dns enable use client-verify dns enable to enable dns client verification on an interface. Use undo client-verify dns enable to disable dns client verification on an interface. Syntax client-verify dns enable undo client-verify dns enable default dns client verification is disabled...
Page 1009
986 predefined user roles network-admin usage guidelines enable http client verification on the interface connected to the external network. This feature protects internal servers against http flood attacks. For the http client verification to collaborate with http flood attack prevention, specify c...
Page 1010
987 vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the specified ipv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the ipv4 address is on the public network. Port port-number: specifies the...
Page 1011
988 port port-number: specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, dns client verification protects port 53, http client verification protects port 80, and tcp client verification protects all ports. Usage guidelines you can specify multiple prot...
Page 1012
989 • safe reset—enables unidirectional tcp proxy for packets only from tcp connection initiators. • syn cookie—enables bidirectional tcp proxy for packets from both tcp clients and tcp servers. Choose a tcp proxy mode according to the network scenarios. • if packets from clients pass through the tc...
Page 1013
990 fin-flood: specifies fin flood attack. Flood: specifies all ipv4 flood attacks. Http-flood: specifies http flood attack. Icmp-flood: specifies icmp flood attack. Rst-flood: specifies rst flood attack. Syn-ack-flood: specifies syn-ack flood attack. Syn-flood: specifies syn flood attack. Udp-flood...
Page 1014
991 # (distributed devices in standalone mode/centralized devices in irf mode.) display all ipv4 flood attack detection and prevention statistics. Display attack-defense flood statistics ip slot 1: ip address vpn detected on detect type state pps dropped 192.168.100.221 a0123456789 ge1/0/2 syn-ack-f...
Page 1015
992 table 152 command output field description ip address protected ipv4 address. Vpn mpls l3vpn instance to which the protected ipv4 address belongs. If the protected ipv4 address is on the public network, this field displays hyphens (--). Detected on where the attack is detected, on the device (lo...
Page 1016
993 flood: specifies all ipv6 flood attacks. Http-flood: specifies http flood attack. Icmpv6-flood: specifies icmpv6 flood attack. Rst-flood: specifies rst flood attack. Syn-ack-flood: specifies syn-ack flood attack. Syn-flood: specifies syn flood attack. Udp-flood: specifies udp flood attack. Ipv6-...
Page 1017
994 slot 1: ipv6 address vpn detected on detect type state pps dropped 2000::1011 a0123456789 ge1/0/2 syn-flood normal 0 4294967295 1::2 1222232 ge1/0/2 dns-flood normal 1000 111111111 1::3 -- ge1/0/3 syn-ack-flood normal 1000 222222222 1::4 -- ge1/0/4 ack-flood normal 1000 111111111 1::5 -- ge1/0/5...
Page 1018
995 field description vpn mpls l3vpn instance to which the protected ipv6 address belongs. If the protected ipv6 address is on the public network, this field displays hyphens (--). Detected on where the attack is detected, on the device (local) or an interface. Detect type type of the detected flood...
Page 1019
996 exempt ipv4 acl: : not configured exempt ipv6 acl: : vip -------------------------------------------------------------------------- actions: cv-client verify bs-block source l-logging d-drop n-none signature attack defense configuration: signature name defense level actions fragment enabled info...
Page 1020
997 icmp address mask reply disabled medium l,d icmpv6 echo request enabled medium l,d icmpv6 echo reply disabled medium l,d icmpv6 group membership query disabled medium l,d icmpv6 group membership report disabled medium l,d icmpv6 group membership reduction disabled medium l,d icmpv6 destination u...
Page 1021
998 field description actions attack prevention actions: • cv—client verification. • bs—blocking sources. • l—logging. • d—dropping packets. • n—no action. Signature attack defense configuration configuration information about single-packet attack detection and prevention. Signature name type of the...
Page 1022
999 field description service ports ports that are protected against the flood attack. This field displays port numbers only for the dns and http flood attacks. For other flood attacks, this field displays a hyphen (-). Non-specific whether the global flood attack detection is enabled. Flood attack ...
Page 1024
1001 chassis chassis-number slot slot-number: specifies a card on an irf member device. The chassis-number argument represents the member id of the irf member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information abou...
Page 1025
1002 slot 1: totally 3 flood protected ip addresses. Slot 2: totally 3 flood protected ip addresses. # (distributed devices in irf mode.) display the number of ipv4 addresses protected by flood attack detection and prevention in the attack defense policy abc. Display attack-defense policy abc flood ...
Page 1026
1003 predefined user roles network-admin network-operator parameters policy-name: specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). Ac...
Page 1027
1004 display attack-defense policy abc flood ipv6 slot 1: ipv6 address vpn instance type rate threshold(pps) dropped 2013::127f a012345678901234 syn-ack-flood 1000 4294967295 2::5 -- ack-flood 100 10 1::5 -- ack-flood 100 23 slot 2: ipv6 address vpn instance type rate threshold(pps) dropped 2013::12...
Page 1028
1005 field description vpn instance mpls l3vpn instance to which the protected ipv6 address belongs. If the protected ipv6 address is on the public network, this field displays hyphens (--). Type type of the flood attack. Rate threshold(pps) threshold for triggering the flood attack prevention, in u...
Page 1029
1006 count: displays the number of matching ipv4 scanning attackers. Usage guidelines if you do not specify any parameters, this command displays information about all ipv4 scanning attackers. Examples # (centralized devices in standalone mode.) display information about all ipv4 scanning attackers....
Page 1030
1007 table 158 command output field description totally 3 attackers total number of ipv4 scanning attackers. Ip addr(dslitepeer) the ip addr field displays the ipv4 address of the attacker. The dslitepeer field displays the ds-lite tunnel source ipv6 address of the attacker in a ds-lite network. In ...
Page 1031
1008 slot slot-number: specifies an irf member device by its member id. This option is available only when you specify the device or a global interface, such as a vlan interface or tunnel interface. If you do not specify a member device, this command displays information about ipv6 scanning attacker...
Page 1032
1009 totally 3 attackers. Slot 2: totally 0 attackers. # (distributed devices in irf mode.) display the number of ipv6 scanning attackers. Display attack-defense scan attacker ipv6 count slot 1 in chassis 1: totally 3 attackers. Slot 2 in chassis 2: totally 0 attackers. Table 159 command output fiel...
Page 1033
1010 parameters interface interface-type interface-number: specifies an interface by its type and number. Local: specifies the device. Slot slot-number: specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a vlan interface or t...
Page 1034
1011 # (distributed devices in standalone mode/centralized devices in irf mode.) display the number of ipv4 scanning attack victims. Display attack-defense scan victim ip count slot 1: totally 3 victim ip addresses. Slot 2: totally 0 victim ip addresses. # (distributed devices in irf mode.) display ...
Page 1035
1012 predefined user roles network-admin network-operator parameters interface interface-type interface-number: specifies an interface by its type and number. Local: specifies the device. Slot slot-number: specifies a card by its slot number. This option is available only when you specify the device...
Page 1036
1013 ipv6 address vpn instance protocol detected on duration(min) # (centralized devices in standalone mode.) display the number of ipv6 scanning attack victims. Display attack-defense scan victim ipv6 count totally 3 victim ip addresses. # (distributed devices in standalone mode/centralized devices...
Page 1037
1014 views any view predefined user roles network-admin network-operator parameters interface-type interface-number: specifies an interface by its type and number. Slot slot-number: specifies a card by its slot number. This option is available only when you specify a global interface, such as a vlan...
Page 1038
1015 ip option internet timestamp 4 1 ip option loose source routing 5 0 ip option strict source routing 6 0 ip option route alert 3 0 fragment 1 0 impossible 1 1 teardrop 1 1 tiny fragment 1 0 ip options abnormal 3 0 smurf 1 0 ping of death 1 0 traceroute 1 0 large icmp 1 0 tcp null flag 1 0 tcp al...
Page 1039
1016 display attack-defense statistics interface gigabitethernet 1/0/1 slot 1 attack policy name: abc slot 1: scan attack defense statistics: attacktype attacktimes dropped port scan 2 23 ip sweep 3 33 distribute port scan 1 10 flood attack defense statistics: attacktype attacktimes dropped syn floo...
Page 1040
1017 large icmpv6 1 0 icmp echo request 1 0 icmp echo reply 1 0 icmp source quench 1 0 icmp destination unreachable 1 0 icmp redirect 2 0 icmp time exceeded 3 0 icmp parameter problem 4 0 icmp timestamp request 5 0 icmp timestamp reply 6 0 icmp information request 7 0 icmp information reply 4 0 icmp...
Page 1041
1018 ip option security 2 0 ip option stream id 3 0 ip option internet timestamp 4 1 ip option loose source routing 5 0 ip option strict source routing 6 0 ip option route alert 3 0 fragment 1 0 impossible 1 1 teardrop 1 1 tiny fragment 1 0 ip options abnormal 3 0 smurf 1 0 ping of death 1 0 tracero...
Page 1042
1019 table 162 command output field description attacktype type of the attack. Attacktimes number of times that the attack occurred. This command output displays only attacks that are detected. Dropped number of dropped packets. Display attack-defense statistics local use display attack-defense stat...
Page 1043
1020 distribute port scan 1 10 flood attack defense statistics: attacktype attacktimes dropped syn flood 1 0 ack flood 1 0 syn-ack flood 3 5000 rst flood 2 0 fin flood 2 0 udp flood 1 0 icmp flood 1 0 icmpv6 flood 1 0 dns flood 1 0 http flood 1 0 signature attack defense statistics: attacktype attac...
Page 1044
1021 icmp parameter problem 4 0 icmp timestamp request 5 0 icmp timestamp reply 6 0 icmp information request 7 0 icmp information reply 4 0 icmp address mask request 2 0 icmp address mask reply 1 0 icmpv6 echo request 1 1 icmpv6 echo reply 1 1 icmpv6 group membership query 1 0 icmpv6 group membershi...
Page 1045
1022 impossible 1 1 teardrop 1 1 tiny fragment 1 0 ip options abnormal 3 0 smurf 1 0 ping of death 1 0 traceroute 1 0 large icmp 1 0 tcp null flag 1 0 tcp all flags 1 0 tcp syn-fin flags 1 0 tcp fin only flag 1 0 tcp invalid flag 1 0 tcp land 1 0 winnuke 1 0 udp bomb 1 0 snork 1 0 fraggle 1 0 large ...
Page 1046
1023 ip sweep 3 33 distribute port scan 1 10 flood attack defense statistics: attacktype attacktimes dropped syn flood 1 0 ack flood 1 0 syn-ack flood 3 5000 rst flood 2 0 fin flood 2 0 udp flood 1 0 icmp flood 1 0 icmpv6 flood 1 0 dns flood 1 0 http flood 1 0 signature attack defense statistics: at...
Page 1047
1024 icmp time exceeded 3 0 icmp parameter problem 4 0 icmp timestamp request 5 0 icmp timestamp reply 6 0 icmp information request 7 0 icmp information reply 4 0 icmp address mask request 2 0 icmp address mask reply 1 0 icmpv6 echo request 1 1 icmpv6 echo reply 1 1 icmpv6 group membership query 1 0...
Page 1048
1025 by-type: displays all attack statistics by attack type. By-victim: displays top ten attack statistics by victim. Usage guidelines if you do not specify the by-attacker, by-type, or by-victim keyword, this command displays attack statistics by attacker, victim, attack type. Examples # display to...
Page 1049
1026 field description top victims top ten attack statistics by victim. Top attack types attack statistics by attack type. Related commands attack-defense top-attack-statistics enable display blacklist ip use display blacklist ip to display ipv4 blacklist entries. Syntax centralized devices in stand...
Page 1050
1027 examples # (centralized devices in standalone mode.) display all ipv4 blacklist entries. Display blacklist ip ip address vpn instance ds-lite tunnel peer type ttl(sec) dropped 192.168.11.5 -- -- dynamic 10 353452 123.123.123.123 a0123456789012 2013::fe07:221a:4011 dynamic 123 4294967295 201.55....
Page 1051
1028 field description vpn instance mpls l3vpn instance to which the blacklisted ipv4 address belongs. If the blacklisted ipv4 address is on the public network, this field displays hyphens (--). Ds-lite tunnel peer ipv6 address of the ds-lite tunnel peer. If the device is the aftr of a ds-lite tunne...
Page 1052
1029 chassis chassis-number slot slot-number: specifies a card on an irf member device. The chassis-number argument represents the member id of the irf member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ipv6 blacklist e...
Page 1053
1030 display blacklist ipv6 count slot 1 in chassis 1: totally 3 blacklist entries. Slot 2 in chassis 2: totally 3 blacklist entries. Table 166 command output field description ipv6 address ipv6 address of the blacklist entry. Vpn instance mpls l3vpn instance to which the blacklisted ipv6 address be...
Page 1054
1031 ip-address: specifies a protected ipv4 address. If you do not specify an ipv4 address, this command displays all protected ipv4 addresses. Vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the protected ipv4 address belongs. The vpn-instance-name argument is a case-sens...
Page 1055
1032 ip address vpn instance port type requested trusted 192.168.11.5 -- 23 dynamic 46790 78578 201.55.7.45 -- 10 manual 2368 7237 123.123.123.123 vpn1 65535 dynamic 24587 1385 # (centralized devices in standalone mode.) display the number of protected ipv4 addresses for tcp client verification. Dis...
Page 1056
1033 123.123.123.123 vpn1 53 dynamic 4294967295 15151 slot 2 in chassis 2: ip address vpn instance port type requested trusted 192.168.11.5 -- 53 dynamic 35689 25984 201.55.7.45 -- 53 manual 0 856 123.123.123.123 vpn1 53 dynamic 5458 8863 # (centralized devices in standalone mode.) display the numbe...
Page 1057
1034 ip address vpn instance port type requested trusted 192.168.11.5 -- 80 dynamic 353452 555 201.55.7.45 -- 8080 manual 15000 222 123.123.123.123 vpn1 80 dynamic 4294967295 15151 slot 2 in chassis 2: ip address vpn instance port type requested trusted 192.168.11.5 -- 80 dynamic 0 0 201.55.7.45 -- ...
Page 1059
1036 ipv6 address vpn instance port type requested trusted 1:2:3:4:5:6:7:8 -- 100 manual 14478 5501 1023::1123 vpn1 65535 dynamic 4294967295 15151 # (distributed devices in standalone mode/centralized devices in irf mode.) display the protected ipv6 addresses for tcp client verification. Display cli...
Page 1060
1037 # (distributed devices in standalone mode/centralized devices in irf mode.) display the protected ipv6 addresses for dns client verification. Display client-verify dns protected ipv6 slot 1: ipv6 address vpn instance port type requested trusted 1:2:3:4:5:6:7:8 -- 53 manual 14478 5501 1023::1123...
Page 1061
1038 slot 1: ipv6 address vpn instance port type requested trusted 1:2:3:4:5:6:7:8 -- 8080 manual 14478 5501 1023::1123 vpn1 80 dynamic 4294967295 15151 slot 2: ipv6 address vpn instance port type requested trusted 1:2:3:4:5:6:7:8 -- 8080 manual 4568 8798 1023::1123 vpn1 80 dynamic 15969 4679 # (dis...
Page 1062
1039 field description type type of the protected ipv6 address, manual or dynamic. Requested number of packets destined for the protected ipv6 address. Trusted number of packets that passed the client verification. Related commands client-verify protected ipv6 display client-verify trusted ip use di...
Page 1063
1040 count: displays the number of matching trusted ipv4 addresses. Examples # (centralized devices in standalone mode.) display the trusted ipv4 addresses for dns client verification. Display client-verify dns trusted ip ip address vpn instance ds-lite tunnel peer ttl(sec) 11.1.1.2 vpn1 -- 3600 123...
Page 1064
1041 totally 2 trusted addresses. Ip address vpn instance ds-lite tunnel peer ttl(sec) 11.1.1.2 vpn1 -- 3600 123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550 # (distributed devices in standalone mode/centralized devices in irf mode.) display the trusted ipv4 addresses for http client ve...
Page 1065
1042 # (distributed devices in standalone mode/centralized devices in irf mode.) display the trusted ipv4 addresses for tcp client verification. Display client-verify tcp trusted ip slot 1: ip address vpn instance ds-lite tunnel peer ttl(sec) 11.1.1.2 vpn1 -- 3600 123.123.123.123 a012345678901234567...
Page 1066
1043 field description ds-lite tunnel peer ipv6 address of the ds-lite tunnel peer. If the device is the aftr of a ds-lite tunnel, this field displays the ipv6 address of the b4 element from which the packet comes. In other situations, this field displays hyphens (--). Ttl(sec) remaining aging time ...
Page 1067
1044 count: displays the number of matching trusted ipv6 addresses. Examples # (centralized devices in standalone mode.) display the trusted ipv6 addresses for dns client verification. Display client-verify dns trusted ipv6 ipv6 address vpn instance ttl(sec) 1::3 vpn1 1643 1234::1234 a01234567890123...
Page 1068
1045 ipv6 address vpn instance ttl(sec) 1::3 vpn1 1643 1234::1234 a012345678901234 1234 # (distributed devices in standalone mode/centralized devices in irf mode.) display the trusted ipv6 addresses for http client verification. Display client-verify http trusted ipv6 slot 1: ipv6 address vpn instan...
Page 1069
1046 display client-verify tcp trusted ipv6 slot 1: ipv6 address vpn instance ttl(sec) 1::3 vpn1 1643 1234::1234 a012345678901234 1234 slot 2: ipv6 address vpn instance ttl(sec) 1::3 vpn1 1643 # (distributed devices in irf mode.) display the trusted ipv6 addresses for tcp client verification. Displa...
Page 1072
1049 dns-flood detect non-specific use dns-flood detect non-specific to enable global dns flood attack detection. Use undo dns-flood detect non-specific to disable global dns flood attack detection. Syntax dns-flood detect non-specific undo dns-flood detect non-specific default global dns flood atta...
Page 1073
1050 parameters port-list: specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. Usage guidelines the ...
Page 1074
1051 examples # set the global threshold to 100 for triggering dns flood attack prevention in the attack defense policy atk-policy-1. System-view [sysname] attack-defense policy atk-policy-1 [sysname-attack-defense-policy-atk-policy-1] dns-flood threshold 100 related commands dns-flood action dns-fl...
Page 1075
1052 • l3vpn instance. • fragment keyword for matching non-first fragments. If the specified acl does not exist or does not contain a rule, attack detection exemption does not take effect. Examples # configure an acl to permit packets sourced from 1.1.1.1. Configure attack detection exemption for pa...
Page 1076
1053 [sysname-attack-defense-policy-atk-policy-1] fin-flood action drop related commands client-verify tcp enable fin-flood detect fin-flood detect non-specific fin-flood threshold fin-flood detect use fin-flood detect to configure ip address-specific fin flood attack detection. Use undo fin-flood d...
Page 1077
1054 examples # configure fin flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1. System-view [sysname] attack-defense policy atk-policy-1 [sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000 related commands fin-flood action fin-f...
Page 1078
1055 syntax fin-flood threshold threshold-value undo fin-flood threshold default the global threshold is 1000 for triggering fin flood attack prevention. Views attack defense policy view predefined user roles network-admin parameters threshold-value: specifies the threshold value. The value range is...
Page 1079
1056 predefined user roles network-admin parameters client-verify: adds the victim ip addresses to the protected ip list for http client verification. If http client verification is enabled, the device provides proxy services for protected servers. Drop: drops subsequent http packets destined for th...
Page 1080
1057 vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the protected ip address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected ip address is on the public network. Port port-list: specifie...
Page 1081
1058 predefined user roles network-admin usage guidelines the global http flood attack detection applies to all ip addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions ...
Page 1082
1059 related commands http-flood action http-flood detect http-flood detect non-specific http-flood threshold use http-flood threshold to set the global threshold for triggering http flood attack prevention. Use undo http-flood threshold to restore the default. Syntax http-flood threshold threshold-...
Page 1084
1061 parameters ip-address: specifies the ipv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0. Vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the protected ip address belongs. The vpn-instance-name argument is a case-sensitive string...
Page 1085
1062 usage guidelines the global icmp flood attack detection applies to all ip addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood actio...
Page 1086
1063 [sysname-attack-defense-policy-atk-policy-1] icmp-flood threshold 100 related commands icmp-flood action icmp-flood detect ip icmp-flood detect non-specific icmpv6-flood action use icmpv6-flood action to specify global actions against icmpv6 flood attacks. Use undo icmpv6-flood action to restor...
Page 1087
1064 default ipv6 address-specific icmpv6 flood attack detection is not configured. Views attack defense policy view predefined user roles network-admin parameters ipv6-address: specifies the ipv6 address to be protected. Vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the...
Page 1088
1065 default global icmpv6 flood attack detection is disabled. Views attack defense policy view predefined user roles network-admin usage guidelines the global icmpv6 flood attack detection applies to all ipv6 addresses except for those specified by the icmpv6-flood detect ipv6 command. The global d...
Page 1089
1066 with global icmpv6 flood attack detection configured, the device is in attack detection state. When the sending rate of icmpv6 packets to an ipv6 address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (thre...
Page 1090
1067 reset attack-defense statistics interface use reset attack-defense statistics interface to clear attack detection and prevention statistics for an interface. Syntax reset attack-defense statistics interface interface-type interface-number views user view predefined user roles network-admin para...
Page 1091
1068 predefined user roles network-admin network-operator examples # clear top 10 attack statistics. Reset attack-defense top-attack-statistics related commands attack-defense top-attack-statistics enable display attack-defense top-attack-statistics reset blacklist ip use rest blacklist ip to clear ...
Page 1092
1069 views user view predefined user roles network-admin parameters source-ipv6-address: specifies the ipv6 address for a blacklist entry. Vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the ipv6 address belongs. The vpn-instance-name argument is a case-sensitive string of...
Page 1093
1070 views user view predefined user roles network-admin parameters dns: specifies the dns client verification feature. Http: specifies the http client verification feature. Tcp: specifies the tcp client verification feature. Ip: specifies the protected ipv4 list. Ipv6: specifies the protected ipv6 ...
Page 1096
1073 syntax rst-flood detect non-specific undo rst-flood detect non-specific default global rst flood attack detection is disabled. Views attack defense policy view predefined user roles network-admin usage guidelines the global rst flood attack detection applies to all ip addresses except for those...
Page 1097
1074 usage guidelines the global threshold applies to global rst flood attack detection. Adjust the threshold according to the application scenarios. If the number of rst packets sent to a protected server, such as an http or ftp server, is normally large, set a large threshold. A small threshold mi...
Page 1098
1075 action: specifies the actions against scanning attacks. Block-source: adds the attackers' ip addresses to the ip blacklist. If the blacklist feature is enabled on the receiving interface, the device drops subsequent packets from the blacklisted ip addresses. Timeout minutes: specifies the aging...
Page 1099
1076 parameters large-icmp: specifies large icmp packet attack signature. Large-icmpv6: specifies large icmpv6 packet attack signature. Length: specifies the maximum length of safe icmp or icmpv6 packets, in bytes. The value range for icmp packet is 28 to 65534. The value range for icmpv6 packet is ...
Page 1101
1078 • option-code: specifies the ip option in the range of 0 to 255. • internet-timestamp: specifies the timestamp option. • loose-source-routing: specifies the loose source routing option. • record-route: specifies the record route option. • route-alert: specifies the route alert option. • securit...
Page 1102
1079 [sysname] attack-defense policy atk-policy-1 [sysname-attack-defense-policy-atk-policy-1] signature detect smurf action drop related commands signature level action signature level action use signature level action to specify the actions against single-packet attacks on a specific level. Use un...
Page 1106
1083 syn-ack-flood detect non-specific use syn-ack-flood detect non-specific to enable global syn-ack flood attack detection. Use undo syn-ack-flood detect non-specific to disable global syn-ack flood attack detection. Syntax syn-ack-flood detect non-specific undo syn-ack-flood detect non-specific d...
Page 1107
1084 predefined user roles network-admin parameters threshold-value: specifies the threshold value. The value range is 1 to 1000000 in units of syn-ack packets sent to an ip address per second. Usage guidelines the global threshold applies to global syn-ack flood attack detection. Adjust the thresho...
Page 1108
1085 logging: enables logging for syn flood attack events. Usage guidelines for the syn flood attack detection to collaborate with the tcp client verification, make sure the client-verify keyword is specified and the tcp client verification is enabled. To enable tcp client verification, use the clie...
Page 1109
1086 drop: drops subsequent syn packets destined for the protected ip address. Logging: enables logging for syn flood attack events. None: takes no action. Usage guidelines with syn flood attack detection configured for an ip address, the device is in attack detection state. When the sending rate of...
Page 1110
1087 syn-flood detect syn-flood threshold syn-flood threshold use syn-flood threshold to set the global threshold for triggering syn flood attack prevention. Use undo syn-flood threshold to restore the default. Syntax syn-flood threshold threshold-value undo syn-flood threshold default the global th...
Page 1112
1089 ipv6 ipv6-address: specifies the ipv6 address to be protected. Vpn-instance vpn-instance-name: specifies the mpls l3vpn instance to which the protected ip address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protecte...
Page 1113
1090 usage guidelines the global udp flood attack detection applies to all ip addresses except for those specified by the udp-flood detect command. The global detection uses the global trigger threshold set by the udp-flood threshold command and global actions specified by the udp-flood action comma...
Page 1114
1091 [sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100 related commands udp-flood action udp-flood detect udp-flood detect non-specific whitelist enable use whitelist enable to enable the whitelist feature on an interface. Use undo whitelist enable to disable the whitelist feature...
Page 1115
1092 predefined user roles network-admin usage guidelines if you enable the global whitelist feature, the whitelist feature is enabled on all interfaces. Examples # enable the global whitelist feature. System-view [sysname] whitelist global enable whitelist object-group use whitelist object-group to...
Page 1116
1093 if you execute this command multiple times, the most recent configuration takes effect. Examples # add address object group object-group1 to the whitelist. System-view [sysname] whitelist object-group object-group1.
Page 1117: Ip Source Guard Commands
1094 ip source guard commands the following matrix shows the feature and hardware compatibility: hardware ip source guard compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-l m-hk/810-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-s...
Page 1118
1095 static ipv6 sg is supported only on the following ports: • layer 2 ethernet ports on the following modules: hmim-8gsw. Hmim-8gswf. Hmim-24gsw. Hmim-24gswp. Sic-4gsw. Sic-4gswp. • fixed layer 2 ethernet ports on the following routers: msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/81...
Page 1120
1097 field description ip address ipv4 address in the ipv4sg binding. If no ip address is bound in the binding, this field displays n/a. Mac address mac address in the ipv4sg binding. If no mac address is bound in the binding, this field displays n/a. Interface interface of the binding. Vlan vlan in...
Page 1121
1098 vpn-instance vpn-instance-name: specifies an mpls l3vpn instance by its name. The vpn instance name is a case-sensitive string of 1 to 31 characters. To display dynamic ipsg bindings for the public network, do not specify a vpn instance. Dhcpv6-snooping: specifies the dhcpv6 snooping module. Wl...
Page 1122
1099 related commands ipv6 source binding ipv6 verify source ip source binding (interface view) use ip source binding to configure a static ipv4sg binding on an interface. Use undo ip source binding to delete the static ipv4sg bindings configured on an interface. Syntax ip source binding { ip-addres...
Page 1123
1100 usage guidelines important: static ipv4sg bindings that contain mac addresses are not supported on layer 2 ethernet ports on the following modules: • hmim-8gsw. • hmim-8gswf. • hmim-24gsw. • hmim-24gswp. Static ipv4sg bindings that contain ip addresses or vlans are not supported on the followin...
Page 1124
1101 predefined user roles network-admin parameters ip-address: filters incoming packets by source ipv4 addresses. Ip-address mac-address: filters incoming packets by source ipv4 addresses and source mac addresses. Mac-address: filters incoming packets by source mac addresses. Usage guidelines impor...
Page 1125
1102 predefined user roles network-admin parameters all: removes all the static ipv6sg bindings on the interface. Ip-address ipv6-address: specifies an ipv6 address for the static binding. The ipv6 address cannot be an all-zero address, a multicast address, or a loopback address. Mac-address mac-add...
Page 1127
1104 arp attack protection commands commands and descriptions for centralized devices apply to the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr2600-10-x1. • msr 2630. • msr3600-28/3600-51. • msr3600-28-si/3600-51-si. • msr3610-x1...
Page 1128
1105 arp resolving-route probe-count use arp resolving-route probe-count to set the number of arp blackhole route probes for each unresolved ip address. Use undo arp resolving-route probe-count to restore the default. Syntax arp resolving-route probe-count count undo arp resolving-route probe-count ...
Page 1129
1106 examples # configure the device to probe arp blackhole routes every 3 seconds. System-view [sysname] arp resolving-route probe-interval 3 related commands arp resolving-route enable arp resolving-route probe-count arp source-suppression enable use arp source-suppression enable to enable the arp...
Page 1130
1107 views system view predefined user roles network-admin parameters limit-value: specifies the limit in the range of 2 to 1024. Usage guidelines if unresolvable packets received from an ip address within 5 seconds exceed the limit, the device stops processing the packets from that ip address until...
Page 1132
1109 views system view predefined user roles network-admin parameters time: sets the aging time for arp attack entries, in the range of 60 to 6000 seconds. Examples # set the aging time for arp attack entries to 60 seconds. System-view [sysname] arp source-mac aging-time 60 arp source-mac exclude-ma...
Page 1133
1110 use undo arp source-mac threshold to restore the default. Syntax arp source-mac threshold threshold-value undo arp source-mac threshold default the threshold for source mac-based arp attack detection is 30. Views system view predefined user roles network-admin parameters threshold-value: specif...
Page 1134
1111 chassis chassis-number slot slot-number: specifies a card on an irf member device. The chassis-number argument represents the member id of the irf member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays arp attack entri...
Page 1135
1112 use undo arp active-ack enable to disable the arp active acknowledgement feature. Syntax arp active-ack [ strict ] enable undo arp active-ack [ strict ] enable default the arp active acknowledgement feature is disabled. Views system view predefined user roles network-admin parameters strict: en...
Page 1136
1113 system-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] arp authorized enable arp attack detection commands this feature is supported only on the following ports: • layer 2 ethernet ports on the following modules: hmim-8gsw. Hmim-8gswf. Hmim-24gsw. Hmim-24gsw-poe. S...
Page 1138
1115 arp detection trust use arp detection trust to configure an interface as an arp trusted interface. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust default an interface is an arp untrusted interface. Views layer 2 ethernet interface view l...
Page 1139
1116 src-mac: checks whether the sender mac address in the message body is identical to the source mac address in the ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded. Usage guidelines you can specify more than one object to be checked in one comman...
Page 1140
1117 examples # display the vlans enabled with arp attack detection. Display arp detection arp detection is enabled in the following vlans: 1-2, 4-5 related commands arp detection enable display arp detection statistics use display arp detection statistics to display arp attack detection statistics....
Page 1141
1118 field description dst-mac number of arp packets discarded due to invalid destination mac address. Inspect number of arp packets that failed to pass user validity check. Reset arp detection statistics use reset arp detection statistics to clear arp attack detection statistics. Syntax reset arp d...
Page 1142
1119 dynamic arp entries that are aged out during the conversion are not converted to static arp entries. To delete a static arp entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static arp entries, use the reset arp all or reset arp stat...
Page 1143
1120 system-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] arp scan 1.1.1.1 to 1.1.1.20 arp gateway protection commands arp filter source use arp filter source to enable arp gateway protection for a gateway. Use undo arp filter source to disable arp gateway protection ...
Page 1144
1121 [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] arp filter source 1.1.1.1 arp filtering commands arp filter binding use arp filter binding to enable arp filtering and configure an arp permitted entry. Use undo arp filter binding to remove an arp permitted entry. Syntax ...
Page 1145
1122 examples # enable arp filtering and configure an arp permitted entry. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] arp filter binding 1.1.1.1 2-2-2.
Page 1146: Ipv4 Urpf Commands
1123 ipv4 urpf commands commands and descriptions for centralized devices apply to the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr2600-10-x1. • msr 2630. • msr3600-28/3600-51. • msr3600-28-si/3600-51-si. • msr3610-x1/3610-x1-dp/...
Page 1147
1124 argument represents the slot number of the card. If you do not specify a card, this command displays urpf configuration for all cards. (distributed devices in irf mode.) examples # (distributed devices in standalone mode.) display urpf configuration for the card in slot 1. Display ip urpf slot ...
Page 1148
1125 views interface view predefined user roles network-admin parameters loose: enables loose urpf check. To pass loose urpf check, the source address of a packet must match the destination address of a fib entry. Strict: enables strict urpf check. To pass strict urpf check, the source address and r...
Page 1149: Ipv6 Urpf Commands
1126 ipv6 urpf commands commands and descriptions for centralized devices apply to the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr2600-10-x1. • msr 2630. • msr3600-28/3600-51. • msr3600-28-si/3600-51-si. • msr3610-x1/3610-x1-dp/...
Page 1150
1127 argument represents the slot number of the card. If you do not specify a card, this command displays ipv6 urpf configuration for all cards. (distributed devices in irf mode.) examples # (centralized devices in standalone mode.) display ipv6 urpf configuration on gigabitethernet 1/0/1. Display i...
Page 1151
1128 strict: enables strict ipv6 urpf check. To pass strict ipv6 urpf check, the source address and receiving interface of a packet must match the destination address and output interface of an ipv6 fib entry. Allow-default-route: allows using the default route for ipv6 urpf check. Acl acl-number: s...
Page 1152: Crypto Engine Commands
1129 crypto engine commands commands and descriptions for centralized devices apply to the following routers: • msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/810-w-lm-hk/810-l ms/810-lus. • msr2600-10-x1. • msr 2630. • msr3600-28/3600-51. • msr3600-28-si/3600-51-si. • msr3610-x1/3610-x1...
Page 1153
1130 random number generation function: supported crypto engine name: software crypto engine crypto engine state: enabled crypto engine type: software slot id: 0 cpu id:0 crypto engine id: 1 symmetric algorithms: des-cbc des-ecb 3des-ecb aes-ecb sha1 sha2-256 sha1-hmac sha2-256-hmac asymmetric algor...
Page 1154
1131 display crypto-engine statistics use display crypto-engine statistics to display crypto engine statistics, including the number of established sessions and the number of operations performed by crypto engines. Syntax centralized devices in standalone mode: display crypto-engine statistics [ eng...
Page 1155
1132 symmetric operations: 0 symmetric errors: 0 asymmetric operations: 0 asymmetric errors: 0 get-random operations: 0 get-random errors: 0 slot id: 2 cpu id: 0 crypto engine id: 0 submitted sessions: 0 failed sessions: 0 symmetric operations: 0 symmetric errors: 0 asymmetric operations: 0 asymmetr...
Page 1156
1133 cpu id: 0 crypto engine id: 0 submitted sessions: 0 failed sessions: 0 symmetric operations: 0 symmetric errors: 0 asymmetric operations: 0 asymmetric errors: 0 get-random operations: 0 get-random errors: 0 chassis id: 1 slot id: 2 cpu id: 0 crypto engine id: 0 submitted sessions: 0 failed sess...
Page 1157
1134 symmetric errors: 0 asymmetric operations: 0 asymmetric errors: 0 get-random operations: 0 get-random errors: 0 # (distributed devices in irf mode.) display statistics for crypto engine 1 on card 2 in irf member device 1. Display crypto-engine statistics engine-id 1 chassis 1 slot 2 submitted s...
Page 1158
1135 predefined user roles network-admin parameters engine-id engine-id: specifies a crypto engine by its id. The value range is 0 to 4294967295. Slot slot-number: specifies a card by its slot number. (distributed devices in standalone mode.) slot slot-number: specifies an irf member device by its m...
Page 1159: Fips Commands
1136 fips commands the following matrix shows the feature and hardware compatibility: hardware fips compatibility msr810/810-w/810-w-db/810-lm/810-w-lm/810-10-poe/810-lm-hk/8 10-w-lm-hk yes msr810-lms/810-lus no msr2600-10-x1 yes msr 2630 yes msr3600-28/3600-51 yes msr3600-28-si/3600-51-si yes msr 3...
Page 1160
1137 default fips mode is disabled. Views system view predefined user roles network-admin usage guidelines after you enable fips mode and reboot the device, the device operates in fips mode. The fips device has strict security requirements, and performs self-tests on cryptography modules to verify t...
Page 1161
1138 select the automatic reboot method. The system automatically creates a default non-fips configuration file named non-fips-startup.Cfg, and specifies the file as the startup configuration file. The system reboots the device by using the default non-fips configuration file. After the reboot, you ...
Page 1162
1139 syntax fips self-test views system view predefined user roles network-admin usage guidelines to examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-t...
Page 1163
1140 known-answer test for sha256 passed. Known-answer test for sha384 passed. Known-answer test for sha512 passed. Known-answer test for hmac-sha1 passed. Known-answer test for hmac-sha224 passed. Known-answer test for hmac-sha256 passed. Known-answer test for hmac-sha384 passed. Known-answer test ...
Page 1164
1141 known-answer test for dsa(signature/verification) crypto engine passed. Known-answer tests in the kernel passed. Cpu 1 of slot 1 in chassis 2: starting known-answer tests in the user space. Known-answer test for sha1 passed. Known-answer test for sha224 passed. Known-answer test for sha256 pass...
Page 1165: Mgre Commands
1142 mgre commands display mgre session use display mgre session to display mgre session information. Syntax display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ] views any view predefined user roles network-admin network-operator parameters interface tunnel in...
Page 1166
1143 10.0.0.3 192.168.180.136 c-s succeeded 00:30:01 table 179 command output field description interface name of the mgre tunnel interface. Number of sessions total number of mgre sessions on the tunnel interface. Peer nbma address public address of the peer. Peer protocol address ip address of the...
Page 1167
1144 sa's spi : inbound : 187199087 (0xb286e6f) [esp] outbound: 3562274487 (0xd453feb7) [esp] number of sessions: 1 peer nbma address : 20.0.0.3 peer protocol aaddress: 192.168.181.137 behind nat : no session type : c-c sa's spi : inbound : 187199087 (0xb286e6f) [esp] outbound: 3562274487 (0xd453feb...
Page 1168
1145 table 180 command output field description interface name of the mgre tunnel interface. Link protocol encapsulation protocol used by the mgre tunnel: • gre. • ipsec-gre. Number of sessions total number of mgre sessions on the tunnel interface. Peer nbma address public address of the peer. Peer ...
Page 1169
1146 network-operator parameters interface tunnel interface-number: specifies an mgre tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command displays nhrp mapping table information for all mgre tunnel interfaces. Peer ipv4-address: specifies a peer p...
Page 1170
1147 field description expiration time period of time in which the mapping entry will expire. Type mapping entry type: • static—the entry is statically configured. • cached—the entry is dynamically obtained. • incomplete—the entry is dynamic and incomplete. Flags mapping entry flags: • unique—the ma...
Page 1171
1148 traffic indications : 0 nhrp packets received : 1453 resolution requests : 15 resolution replies : 1 registration requests : 1435 registration replies : 2 purge requests : 0 purge replies : 0 error indications : 0 traffic indications : 0 tunnel1: nhrp packets sent : 3 resolution requests : 0 re...
Page 1172
1149 registration requests : 1435 registration replies : 2 purge requests : 0 purge replies : 0 error indications : 0 traffic indications : 0 nhrp authentication use nhrp authentication to configure an nhrp packet authentication key. Use undo nhrp authentication to restore the default. Syntax nhrp a...
Page 1173
1150 use undo nhrp holdtime to restore the default. Syntax nhrp holdtime seconds undo nhrp holdtime default the holdtime of nhrp mapping entries is 7200 seconds. Views mgre tunnel interface view predefined user roles network-admin parameters seconds: specifies the holdtime in the range of 1 to 65535...
Page 1174
1151 if you execute this command multiple times, the most recent configuration takes effect. Examples # set the nhrp network id to 10 for mgre tunnel interface tunnel1. System-view [sysname] interface tunnel 1 mode mgre [sysname-tunnel1] nhrp network-id 10 related commands interface tunnel (layer 3—...
Page 1175
1152 views user view predefined user roles network-admin parameters interface tunnel interface-number: specifies an mgre tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command resets dynamic mgre sessions for all mgre tunnel interfaces. Peer ipv4-add...
Page 1176
1153 reset nhrp statistics use reset nhrp statistics to clear nhrp packet statistics. Syntax reset nhrp statistics [ interface tunnel interface-number ] views user view predefined user roles network-admin parameters interface tunnel interface-number: specifies an mgre tunnel interface by its number ...
Page 1177: Index
1154 index a b c d e f g h i k l m n o p q r s t u v w a aaa authorization, 573 aaa authorization, 611 aaa device-id, 86 aaa domain, 735 aaa nas-id profile, 1 aaa session-limit, 2 aaa-fail nobinding enable, 230 accelerate, 953 accept-lifetime utc, 426 access-limit, 53 accounting advpn, 2 accounting ...
Page 1178
1155 authentication login, 21 authentication portal, 23 authentication ppp, 24 authentication sslvpn, 25 authentication super, 26 authentication-algorithm, 574 authentication-algorithm, 427 authentication-method, 612 authentication-method, 575 authentication-server, 141 authentication-timeout, 234 a...
Page 1179
1156 dh, 624 dhcpv6-follow-ipv6cp, 42 dir, 693 direction, 835 disable, 836 display app-group, 837 display application, 839 display application statistics, 842 display application statistics top, 845 display apr signature information, 847 display arp detection, 1116 display arp detection statistics, ...
Page 1180
1157 display portal auth-fail-record, 249 display portal captive-bypass statistics, 252 display portal extend-auth-server, 253 display portal local-binding mac-address, 254 display portal logout-record, 255 display portal mac-trigger-server, 257 display portal packet statistics, 260 display portal r...
Page 1181
1158 exclude-attribute (mac binding server view), 299 exclude-attribute (portal authentication server view), 301 execution (port forwarding item view), 754 execution (shortcut view), 755 exempt acl, 1051 exit, 695 f file-policy, 755 filter ip-tunnel acl, 756 filter ip-tunnel uri-acl, 757 filter tcp-...
Page 1183
1160 max-users, 779 message-server, 780 mkdir, 698 move rule, 960 mtu, 781 n nas-id bind vlan, 50 nas-ip (hwtacacs scheme view), 126 nas-ip (radius scheme view), 97 nas-port-type, 315 nat-keepalive, 644 nbar application, 851 network (ipv4 address object group view), 942 network (ipv6 address object ...
Page 1184
1161 portal free-rule destination, 345 portal free-rule source, 346 portal host-check enable, 347 portal ipv6 free-all except destination, 348 portal ipv6 layer3 source, 349 portal ipv6 user-detect, 350 portal layer3 source, 351 portal local-web-server, 352 portal logout-record enable, 353 portal lo...
Page 1185
1162 redirect-url, 379 redundancy replay-interval, 553 remote-address, 554 remove, 700 rename, 700 reset application statistics, 858 reset arp detection statistics, 1118 reset aspf session, 822 reset attack-defense policy flood, 1066 reset attack-defense statistics interface, 1067 reset attack-defen...
Page 1186
1163 secondary authorization, 135 security acl, 567 send-lifetime utc, 431 server address, 670 server-detect (portal authentication server view), 386 server-detect (portal web server view), 387 server-register, 388 server-timeout, 152 server-type (mac binding server view), 389 server-type(portal ser...
Page 1187
1164 syn-ack-flood action, 1081 syn-ack-flood detect, 1081 syn-ack-flood detect non-specific, 1083 syn-ack-flood threshold, 1083 syn-flood action, 1084 syn-flood detect, 1085 syn-flood detect non-specific, 1086 syn-flood threshold, 1087 t tcp syn-check, 823 tcp-port, 390 tfc enable, 569 timeout idle...