- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Packet-Filter Firewall Commands
- 10-ALG Commands
- 11-Session Management Commands
- 12-TCP and ICMP Attack Protection Commands
- 13-IP Source Guard Commands
- 14-ARP Attack Protection Commands
- 15-URPF Commands
- 16-COPS Commands
- 17-FIPS Commands
- 18-PKI Commands
- Related Documents
-
Title | Size | Download |
---|---|---|
11-Session Management Commands | 153.19 KB |
Contents
display application aging-time
display session relation-table
session log enable (NAT interface view)
application aging-time
Syntax
application aging-time { dns | ftp | msn | qq | sip } time-value
undo application aging-time [ dns | ftp | msn | qq | sip ]
View
System view
Default level
2: System level
Parameters
dns: Specifies the aging time for DNS sessions.
ftp: Specifies the aging time for FTP sessions.
msn: Specifies the aging time for MSN sessions.
qq: Specifies the aging time for QQ sessions.
sip: Specifies the aging time for SIP sessions.
time-value: Aging time, which ranges from 5 seconds to 100000 seconds.
Description
Use the application aging-time command to set the aging time for sessions of an application layer protocol.
Use the undo application aging-time command to restore the default. If no application layer protocol type is specified, the command restores the session aging times for all the application layer protocols to the defaults.
The default session aging times for the application layer protocols are as follows:
· DNS: 60 seconds
· FTP: 3600 seconds
· MSN: 3600 seconds
· QQ: 60 seconds
· SIP: 300 seconds
Examples
# Set the aging time for FTP sessions to 1800 seconds.
<Sysname> system-view
[Sysname] application aging-time ftp 1800
display application aging-time
Syntax
display application aging-time [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display application aging-time command to display the session aging times for application layer protocols.
You can use this command to display the default session aging times for application layer protocols before these session aging times are adjusted.
Related commands: application aging-time.
Examples
# Display the current session aging times for application layer protocols.
<Sysname> display application aging-time
Protocol Aging-time(s)
ftp 3600
dns 60
sip 300
msn 3600
qq 60
Table 1 Output description
Field |
Description |
Protocol |
Application layer protocol |
Aging-time(s) |
Session aging time, in seconds |
display session aging-time
Syntax
display session aging-time [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display session aging-time command to display the session aging times in different protocol states.
You can use this command to display the default session aging times in different protocol states before these session aging times are adjusted.
|
NOTE: The IM-NAT LPU does not support this command. |
Related commands: session aging-time.
Examples
# Display the current session aging times in different protocol states.
<Sysname> display session aging-time
Protocol Aging-time(s)
syn 60
tcp-est 300
fin 30
udp-open 60
udp-ready 60
icmp-open 100
icmp-closed 30
rawip-open 30
rawip-ready 60
accelerate 10
Table 2 Output description
Field |
Description |
Protocol |
Protocol status |
Aging-time(s) |
Session aging time, in seconds |
display session relation-table
Syntax
display session relation-table [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
slot slot-number: Displays the relationship table entries of the specified card The slot-number argument specifies the slot where the card resides.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display session relation-table command to display relationship table entries.
If no slot number is specified, the command displays the relationship table entries of all cards.
|
NOTE: The IM-NAT LPU does not support this command. |
Examples
# Displays all relationship table entries on slot 6.
<Sysname> display session relation-table slot 6
Relations on slot 6:
Local IP/Port Global IP/Port MatchMode
192.168.1.22/99 10.153.2.22/99 Local
APP:QQ Pro:UDP TTL:2000s AllowConn:10
Local IP/Port Global IP/Port MatchMode
192.168.1.100/99 10.153.2.100/99 Local
APP:FTP Pro:TCP TTL:2000s AllowConn:10
Total find: 2
Table 3 Output description
Field |
Description |
Relations on slot 6: |
Relationship table on slot 6 |
Local IP/Port |
IP address/port number of the inside network |
Global IP/Port |
IP address/ port number of the outside network |
MatchMode |
Match mode from session table to relationship table, including Local, Global, and Either. · Local: Indicates that the source IP address/source port of a new session are matched against Local IP/Port in the relation table. · Global: Indicates that the destination IP address/destination port of a new session are matched against Global IP/Port in the relation table. · Either: Indicates that the IP/port of a new session are matched against Local IP/Port or Global IP/Port in the relation table. |
App |
Application layer protocol, such as FTP, MSN, and QQ |
Pro |
Transport layer protocol, TCP, or UDP |
TTL |
Remaining lifetime of the relationship table entry, in seconds. |
AllowConn |
Number of sessions allowed by the relationship table entry |
Total find |
Total number of found relationship table entries |
display session statistics
Syntax
display session statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
slot slot-number: Displays the session statistics of the specified card. The slot-number argument specifies the slot where the card resides.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display session statistics command to display statistics about sessions.
If no slot number is specified, the command displays session statistics of all cards. If no argument is specified, the command displays all session statistics.
|
NOTE: The IM-NAT LPU does not support this command. |
Examples
# Display statistics about all sessions of the LPU in slot 13.
<Sysname> display session statistics slot 13
Current session(s):1
Current TCP session(s): 1
Half-Open: 0 Half-Close: 0
Current UDP session(s): 0
Current ICMP session(s): 0
Current RAWIP session(s): 0
Current relation table(s): 0
Session establishment rate: 0/s
TCP Session establishment rate: 0/s
UDP Session establishment rate: 0/s
ICMP Session establishment rate: 0/s
RAWIP Session establishment rate: 0/s
Received TCP: 1356789815 packet(s) 109664852650 byte(s)
Received UDP: 2204480244 packet(s) 196761214058 byte(s)
Received ICMP: 10793095 packet(s) 2611913306 byte(s)
Received RAWIP: 4789685 packet(s) 452146335 byte(s)
Dropped TCP: 2 packet(s) 99 byte(s)
Dropped UDP: 17541392 packet(s) 3300787996 byte(s)
Dropped ICMP: 0 packet(s) 0 byte(s)
Dropped RAWIP: 0 packet(s) 0 byte(s)
Table 4 Output description
Field |
Description |
|
Current session(s) |
Total number of sessions |
|
Current TCP session(s) |
Number of TCP sessions |
|
Half-Open |
Number of TCP sessions in the half-open state |
|
Half-Close |
Number of TCP sessions in the half-close state |
|
Current UDP session(s) |
Number of UDP sessions |
|
Current ICMP session(s) |
Number of ICMP sessions |
|
Current RAWIP session(s) |
Number of Raw IP sessions |
|
Current relation table(s) |
Total number of relationship table entries |
|
Session establishment rate |
Session establishment rate |
|
TCP Session establishment rate |
Establishment rate of TCP sessions |
|
UDP Session establishment rate |
Establishment rate of UDP sessions |
|
ICMP Session establishment rate |
Establishment rate of ICMP sessions |
|
RAWIP Session establishment rate |
Establishment rate of Raw IP sessions |
|
Received TCP |
Counts of received TCP packets and bytes |
|
Received UDP |
Counts of received UDP packets and bytes |
|
Received ICMP |
Counts of received ICMP packets and bytes |
|
Received RAWIP |
Counts of received Raw IP packets and bytes |
|
Dropped TCP |
Counts of dropped TCP packets and bytes |
|
Dropped UDP |
Counts of dropped UDP packets and bytes |
|
Dropped ICMP |
Counts of dropped ICMP packets and bytes |
|
Dropped RAWIP |
Counts of dropped Raw IP packets and bytes |
display session table
Syntax
display session table [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ verbose ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
slot slot-number: Displays the sessions of the specified card. The slot-number argument specifies the slot where the card resides.
source-ip source-ip: Displays the sessions with the specified source IP address.
destination-ip destination-ip: Displays sessions with the specified destination IP address.
verbose: Displays detailed information about sessions. Without this keyword, the command displays brief information about the specified sessions.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display session table command to display information about sessions.
If no keywords are specified, the command displays information about all sessions.
If no slot number is specified, the command displays the session tables of all cards.
If both the source-ip and destination-ip keywords are specified, the command displays only the sessions with the specified source and destination IP addresses.
|
NOTE: The IM-NAT LPU does not support this command. |
Examples
# Display brief information about all sessions.
<Sysname> display session table
Sessions on slot 6:
Total find: 0
Sessions on slot 1:
Total find: 0
Sessions on slot 13:
Initiator:
Source IP/Port : 6.6.6.2/2673
Dest IP/Port : 6.6.6.1/179
Pro : TCP(6)
VPN-Instance/VLAN ID/VLL ID:
Total find: 1
# Display detailed information about all sessions.
<Sysname> display session table verbose
Sessions on slot 6:
Total find: 0
Sessions on slot 1:
Total find: 0
Sessions on slot 13:
Initiator:
Source IP/Port : 6.6.6.2/2673
Dest IP/Port : 6.6.6.1/179
VPN-Instance/VLAN ID/VLL ID:
Responder:
Source IP/Port : 6.6.6.1/179
Dest IP/Port : 6.6.6.2/2673
VPN-Instance/VLAN ID/VLL ID:
Pro: TCP(6) App: BGP State: SYN
Start time: 2009-06-22 15:58:52 TTL: 27s
Received packet(s)(Init): 1 packet(s) 59 byte(s)
Received packet(s)(Reply): 0 packet(s) 0 byte(s)
Total find: 1
Table 5 Output description
Field |
Description |
Sessions on slot 6: |
Session information of the LPU in slot 6 |
Initiator: |
Session information of the initiator |
Responder: |
Session information of the responder |
Pro |
Transport layer protocol, TCP, UDP, ICMP, or Raw IP |
VPN-Instance/VLAN ID/VLL ID |
MPLS L3VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding |
App |
Application layer protocol, FTP, DNS, MSN or QQ Unknown indicates protocol type of a non-well-known port |
State |
Session status. Possible values are: · Accelerate · SYN · TCP-EST · FIN · UDP-OPEN · UDP-READY · ICMP-OPEN · ICMP-CLOSED · RAWIP-OPEN · RAWIP-READY |
Start Time |
Session establishment time |
TTL |
Remaining lifetime of the session, in seconds. |
Received packet(s)(Init) |
Counts of packets and bytes from the initiator to the responder |
Received packet(s)(Reply) |
Counts of packets and bytes from the responder to the initiator |
Total find |
Total number of found sessions |
reset session
Syntax
reset session [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type protocol-type ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
View
User view
Default level
2: System level
Parameters
slot slot-number: Specifies the sessions of the specified card on a distributed device. .
source-ip source-ip: Specifies the sessions with the specified source IP address of the initiator. The IM-NAT LPU does not support this keyword.
destination-ip destination-ip: Specifies the sessions with the specified destination IP address of the initiator. The IM-NAT LPU does not support this keyword.
protocol-type protocol-type: Specifies the sessions of the specified protocol type. The protocol types include TCP, UDP, ICMP, and Raw IP. The IM-NAT LPU does not support this keyword.
source-port source-port: Specifies the sessions with the specified source port of the initiator. The IM-NAT LPU does not support this keyword.
destination-port destination-port: Specifies the sessions with the specified destination port of the initiator. The IM-NAT LPU does not support this keyword.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN. The vpn-instance-name argument specifies the name of an MPLS L3VPN and is a case-sensitive string of 1 to 31 characters. The IM-NAT LPU does not support this keyword.
Description
Use the reset session command to clear sessions.
If no slot number is specified, the command clears the sessions of all cards.
If no VPN instance is specified, the command clears the sessions matching other criteria on the public network.
If no parameter is specified, all sessions will be cleared.
Examples
# Reset all session tables.
<Sysname> reset session
# Remove all sessions whose the originator’s IP address is 10.10.10.10.
<Sysname> reset session source-ip 10.10.10.10
reset session statistics
Syntax
reset session statistics [ slot slot-number ]
View
User view
Default level
2: System level
Parameters
slot slot-number: Clears the session statistics of specified card. The slot-number argument specifies the slot where the card resides.
Description
Use the reset session statistics command to clear session statistics.
If no slot number is specified, the command clears the session statistics of all cards.
|
NOTE: The IM-NAT LPU does not support this command. |
Examples
# Clear the statistics about all sessions.
<Sysname> reset session statistics
session aging-time
Syntax
session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value
undo session aging-time [ accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready ]
View
System view
Default level
2: System level
Parameters
accelerate time-value: Specifies the aging time for sessions in the accelerate queue, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.
fin time-value: Specifies the aging time for TCP sessions in the FIN_WAIT state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.
icmp-closed time-value: Specifies the aging time for ICMP sessions in the CLOSED state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.
icmp-open time-value: Specifies the aging time for ICMP sessions in the OPEN state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.
rawip-open time-value: Specifies the aging time for sessions in the RAWIP_OPEN state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.
rawip-ready time-value: Specifies the aging time for sessions in the RAWIP_READY state. The IM-NAT LPU does not support this option.
syn time-value: Specifies the aging time for TCP sessions in the SYN_SENT or SYN_RCV state, which is in the range 5 to 100000, in seconds. For the IM-NAT LPU, the value ranges from 5 to 15 seconds.
tcp-est time-value: Specifies the aging time for TCP sessions in the ESTABLISHED state, which is in the range 5 to 100000, in seconds. For the IM-NAT LPU, the value ranges from 180 to 3600 seconds.
udp-open time-value: Specifies the aging time for UDP sessions in the OPEN state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.
udp-ready time-value: Specifies the aging time for UDP sessions in the READY state, which is in the range 5 to 100000, in seconds. For the IM-NAT LPU, the value ranges from 50 to 179 seconds.
Description
Use the session aging-time command to set the aging time for sessions of a specified protocol that are in a specified state.
Use the undo application aging-time command to restore the default. If no keyword is specified, the command restores the session aging times for all protocol states to the defaults.
The defaults as follows:
· ACCELERATE state: 10 seconds,
· TCP FIN_WAIT state: 30 seconds,
· ICMP CLOSED state: 30 seconds,
· ICMP OPEN state: 60 seconds,
· RAWIP_OPEN state: 30 seconds,
· RAWIP_READY state: 60 seconds,
· TCP SYN_SENT and SYN_RCV state: 15 seconds,
· TCP ESTABLISHED state: 300 seconds,
· UDP OPEN state: 30 seconds,
· UDP READY state: 60 seconds.
To display the session aging times in different protocol states, use the display session aging-time command.
Examples
# Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 10 seconds.
<Sysname> system-view
[Sysname] session aging-time syn 10
session checksum
Syntax
session checksum { all | { icmp | tcp | udp } * }
undo session checksum { all | { icmp | tcp | udp } * }
View
System view
Default level
2: System level
Parameters
all: Enables checksum verification for TCP, UDP, and ICMP packets.
icmp: Enables checksum verification for ICMP packets.
tcp: Enables checksum verification for TCP packets.
udp: Enables checksum verification for UDP packets.
Description
Use the session checksum command to enable checksum verification for protocol packets.
Use the undo session checksum command to disable checksum verification.
By default, checksum verification is disabled.
|
NOTE: The IM-NAT LPU does not support this command. |
Examples
# Enable checksum verification for UDP packets.
<Sysname> system-view
[Sysname] session checksum udp
session log enable (NAT interface view)
Syntax
session log enable [ acl acl-number ]
undo session log enable
View
NAT virtual interface view
Default level
2: System level
Parameters
acl acl-number: Specifies the ACL to be used to match sessions for logging. The acl-number argument ranges from 2000 to 3999.
Description
Use the session log enable command to enable the session logging function.
Use the undo session log enable command to disable the session logging function.
By default, the session logging function is disabled.
If you do not specify the acl acl-number option, the command enables session logging for all sessions on the interface.
For an IM-NAT LPU, the system does not output log information about static address translation or the internal server.
Examples
# Enable session logging on interface NAT 0/1 for sessions matching ACL 2050.
<Sysname> system-view
[Sysname] interface nat 5/0/1
[Sysname-NAT5/0/1] session log enable acl 2050
session log time-active
Syntax
session log time-active time-value
undo session log time-active
View
System view
Default level
2: System level
Parameters
time-value: Holdtime threshold, in minutes. It is a multiple of 10 in the range 10 to 120.
Description
Use the session log time-active command to set the holdtime threshold for active traffic session logging.
Use the undo session log time-active command to remove the setting.
By default, the holdtime threshold is 0, which means that the system does not output active traffic session logs based on holdtime threshold.
Examples
# Set the holdtime threshold for active traffic session logging to 50 minutes.
<Sysname> system
[Sysname] session log time-active 50
session persist acl
Syntax
session persist acl acl-number [ aging-time time-value ]
undo session persist
View
System view
Default level
2: System level
Parameters
acl-number: ACL number, in the range 2000 to 3999.
aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value ranges from 0 to 360 and defaults to 24. A value of 0 means the persistent sessions are never aged.
Description
Use the session persist acl command to specify the persistent session ACL. All sessions permitted by the ACL are considered persistent sessions.
Use the undo session persist command to remove the configuration.
By default, no persistent session ACL is specified.
Persistent sessions will not be removed because they are not matched with any packets within the aging time. You can manually remove such sessions when necessary.
There can be only one persistent session ACL.
|
NOTE: The IM-NAT LPU does not support this command. |
Related commands: reset session.
Examples
# Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours.
<Sysname> system-view
[Sysname] session persist acl 2000 aging-time 72