- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Packet-Filter Firewall Commands
- 10-ALG Commands
- 11-Session Management Commands
- 12-TCP and ICMP Attack Protection Commands
- 13-IP Source Guard Commands
- 14-ARP Attack Protection Commands
- 15-URPF Commands
- 16-COPS Commands
- 17-FIPS Commands
- 18-PKI Commands
- Related Documents
-
Title | Size | Download |
---|---|---|
16-COPS Commands | 77.81 KB |
Contents
display cops connection
Syntax
display cops connection [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
slot slot-number: Displays COPS connection information on the card specified by the slot number.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display cops connection command to display COPS connection information.
If no slot slot-number is specified, the command displays all COPS connection information on the device.
Related commands: cops scheme.
Examples
# Display COPS connection information.
<Sysname> display cops connection slot 0
PEP ID: 192.168.0.1-s0
Client Type: COPS-1X Status: UP
Connection Losts: 2 Reconnections: 4
KA Timer: 30s ACCT Timer: 600s
Reconnect Interval: 30s Response Timeout: 10s
Current TCP Connection:
PEP: 192.168.0.1/1031
PDP: 192.168.0.3/3288
Last TCP Connection:
PEP: 192.168.0.1/1031
PDP: 192.168.0.4/3288
TX:
REQ: Succ 101, Fail 4
RPT: Succ 100, Fail 1
OPN: Succ 1, Fail 0
KA: Succ 5, Fail 0
DRQ: Succ 1, Fail 0
SSC: Succ 3, Fail 0
RX:
CAT: 1 KA: 5
S-DEC: 100 UNS-DEC: 2 SSQ: 3
Table 1 Output description
Field |
Description |
PEP ID |
PEP ID in the OPN packet, which is composed of the configured COPS client ID and the interface where the COPS service resides. |
Client Type |
COPS client type. 1X means 802.1X service. |
Status |
COPS connection status, including: DOWN, NEGOTIATION, OPENING, UP, and SYN |
Connection Losts |
Number of lost COPS connections. |
Reconnections |
Number of connection attempts. |
KA timer |
Keep-alive timer. |
ACCT timer |
Interval for the PEP sending accounting messages to a PDP. |
PEP: 192.168.0.11/2238 |
IP address and port number of the PEP. |
PDP: 192.168.0.22/3288 |
IP address and port number of the PDP. |
Reconnect Interval |
Reconnection attempt interval. |
TX: |
Number of transmitted COPS packets. |
REQ: Succ 101, Fail 4 |
Numbers of REQ packets transmitted successfully and unsuccessfully. |
RPT: Succ 100, Fail 1 |
Numbers of RPT packets transmitted successfully and unsuccessfully. |
OPN: Succ 1, Fail 0 |
Numbers of OPN packets transmitted successfully and unsuccessfully. |
KA: Succ 5, Fail 0 |
Numbers of KA packets transmitted successfully and unsuccessfully. |
DRQ: Succ 1, Fail 0 |
Numbers of DRQ packets transmitted successfully and unsuccessfully. |
SSC: Succ 3, Fail 0 |
Numbers of SSC packets transmitted successfully and unsuccessfully. |
RX: |
Number of received COPS packets. |
CAT: 1 KA: 5 S-DEC: 100 UNS-DEC: 2 SSQ: 3 |
Numbers of received CAT packets, KA packets, solicited DEC packets, unsolicited DEC packets, and SSQ packets. |
cops id
Syntax
cops id pep-id
undo cops id
View
System view
Default level
2: System level
Parameters
pep-id: COPS client ID, a case-sensitive string of 1 to 128 characters. H3C recommends you to set the IP address or domain name of the PEP device as the COPS client ID.
Description
Use the cops id command to set the COPS client ID.
As a PEP, the device uses a COPS client ID to identify itself. The COPS client ID and the interface information of the COPS service compose the PEP ID in the OPN packet sent to the PDP. The PDP uses the PEP ID to identify the PEP.
Use the undo cops id command to remove the configured COPS client ID.
By default, no COPS client ID is configured.
The COPS client ID and the number of the slot where the COPS service resides compose the PEP ID in the OPN packet. The PEP ID is in the format “COPS client ID” plus “-s” plus “the number of the slot where the COPS service resides”. For example, if the COPS client ID is TEST and the number of the slot where the COPS service resides is 0, the PEP ID is TEST-s0. To display the PEP ID, you can use the display cops connection command.
Removal or modification of the COPS client ID of the device does not affect the existing COPS connections.
Related commands: display cops connection.
Examples
# Set the COPS client ID of the device as the IP address of the device (192.168.0.77).
<Sysname> system-view
[Sysname] cops id 192.168.0.77
cops scheme
Syntax
cops scheme cops-scheme-name
undo cops scheme cops-scheme-name
View
System view
Default level
2: System level
Parameters
cops-scheme-name: COPS scheme name, a case-insensitive string of 1 to 32 characters.
Description
Use the cops scheme command to create a COPS scheme and enter its view.
Use the undo cops scheme command to remove the specified COPS scheme.
By default, no COPS scheme exists.
Removal of a COPS scheme in use does not affect the services referencing the COPS scheme.
Related commands: dot1x cops.
Examples
# Create COPS scheme cops1, and enter its view.
<Sysname> system-view
[Sysname] cops scheme cops1
[Sysname-cops-cops1]
server ipv4
Syntax
server ipv4 ipv4-address [ port port-number ]
undo server ipv4 [ ipv4-address ]
View
COPS scheme view
Default level
2: System level
Parameters
ipv4-address: IPv4 address of the PDP
port-number: TCP port of the PDP server, in the range 0 to 65535. The default value is 3288.
Description
Use the server ipv4 command to specify the IPv4 address and TCP port of a PDP.
Use the undo server ipv4 command to remove the specified PDP or all PDPs.
By default, no PDP is specified.
Up to two PDPs can be specified in a COPS scheme. The PEP first tries to establish a TCP connection to the primary PDP. If the attempt fails, the PEP contacts the backup PDP. The PEP will not stop until a connection is successfully established or the reference of the COPS scheme is cancelled.
Without any IPv4 address specified, the undo server ipv4 command removes all PDPs from the scheme.
Removal of a PDP in use does not affect the running COPS service.
After a COPS scheme is referenced by a service module, removal or modifications of the PDPs in the COPS scheme does not take effect immediately. To bring your removal or modifications into effect, cancel the reference of the COPS scheme for the service module and then reference the COPS scheme again.
Examples
# For COPS scheme cops1, specify the PDP with IPv4 address 192.168.0.7 and TCP port 3288.
<Sysname> system-view
[Sysname] cops scheme cops1
[Sysname-cops-cops1] server ipv4 192.168.0.7 port 3288
timer reconnect interval
Syntax
timer reconnect interval interval
undo timer reconnect interval
View
COPS scheme view
Default level
2: System level
Parameters
interval: Reconnection attempt interval, in the range 30 to 3600 seconds.
Description
Use the timer reconnect interval command to configure the reconnection attempt interval.
Use the undo timer reconnect interval command to restore the default.
By default, the interval is 60 seconds.
If the PEP fails to establish a COPS connection with a PDP, or the COPS connection willrn down because the keep-alive (KA) timer times out, the PEP tries to establish a COPS connection with the other PDP if two PDPs are specified. The attempt to establish a connection with either of the PDPs will not stop until a connection is successfully established or the reference of the COPS scheme is cancelled. If only one PDP is specified, the PEP tries to establish a COPS connection with the PDP repeatedly until the connection is successfully established or the reference of the COPS scheme is cancelled. The reconnection attempt interval specifies the time interval from when the current connection attempt fails to when the next connection attempt is initiated
On a busy network or if the service is not sensitive with the COPS connection establishment time, H3C recommends you to set a larger interval to avoid frequent connection attempts.
After a COPS scheme is referenced by a service module, modification of the reconnection attempt interval in the COPS scheme does not take effect immediately. To bring your modification into effect, cancel the reference of the COPS scheme for the service module and then reference the COPS scheme again.
Related commands: display cops connection.
Examples
# In COPS scheme cops1, set the reconnection attempt interval to 30 seconds.
<Sysname> system-view
[Sysname] cops scheme cops1
[Sysname-cops-cops1] timer reconnect interval 30
timer response timeout
Syntax
timer response timeout time
undo timer response timeout
View
COPS scheme view
Default level
2: System level
Parameters
time: Response timeout time, in the range 3 to 60 seconds.
Description
Use the timer response timeout command to set the response timeout time.
Use the undo timer response timeout command to restore the default.
By default, the response timeout time is 5 seconds.
After the PEP sends a REQ to the PDP, the PEP starts the response timeout timer. If the PEP does not receive any response from the PDP before the timer expires, it directly removes the REQ state and notifies the service module.
On a busy network or if the PDP is busy, H3C recommends you to set a larger value for the response timeout time. Generally, 5 seconds is recommended.
After a COPS scheme is referenced by a service module, modifications of the response timeout time in the COPS scheme do not take effect immediately. To bring them into effect, cancel the reference of the COPS scheme for the service module and then reference the COPS scheme again.
Related commands: display cops connection.
Examples
# In COPS scheme cops1, set the response timeout time to 10 seconds.
<Sysname> system-view
[Sysname] cops scheme cops1
[Sysname-cops-cops1] timer response timeout 10
key
Syntax
key key-string [ algorithm hmac-md5-96 ]
undo key
View
COPS scheme view
Default level
2: System level
Parameters
key-string: Shared key used for packet exchange between the PEP and the PDP, a case-sensitive string of 1 to 64 characters.
algorithm hmac-md5-96: Specifies the HMAC algorithm used for COPS packet integrity check. The device supports the default algorithm HMAC-MD5-96 only.
Description
Use the key command to set the shared key used for the integrity check of COPS packets exchanged between the PEP and the PDP. Use the undo key command to remove the configured shared key. That is, no security mechanism is adopted for COPS packet exchange.
By default, no shared key is configured.
The configuration of shared key on the PEP must be consistent with that on the PDP. That is, if a shared key is configured on the PEP, the same one must be configured on the PDP. If no shared key is configured on the PEP, do not configure a shared key on the PDP either.
If you configure this command repeatedly, the last configuration overwrites the previous one.
Examples
# In COPS scheme cops1, set the shared key between the PEP and the PDP to aabbcc, and specify the HMAC-MD5-96 algorithm.
<Sysname> system-view
[Sysname] cops scheme cops1
[Sysname-cops-cops1] key aabbcc