10-Security

HomeSupportResource CenterH3C Access Controllers Command References(E5208P03 E5215P01 R5215P01)-6W10210-Security
20-ASPF commands
Title Size Download
20-ASPF commands 61.56 KB

ASPF commands

The following matrix shows the feature and hardware compatibility:

 

Hardware series

Model

ASPF compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

Yes

WX2500H series

WX2510H

WX2540H

WX2560H

Yes

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

Yes

WX5500E series

WX5510E

WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

Yes

Access controller modules

EWPXM1MAC0F

EWPXM1WCME0

EWPXM2WCMD0F

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

Yes

 

The WX1800H series and WX2500H series access controllers do not support the slot keyword or the slot-number argument.

aspf apply policy

Use aspf apply policy to apply an ASPF policy to an interface.

Use undo aspf apply policy to remove an ASPF policy application from an interface.

Syntax

aspf apply policy aspf-policy-number { inbound | outbound }

undo aspf apply policy aspf-policy-number { inbound | outbound }

Default

No ASPF policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Specifies an ASPF policy number. The value range is 1 to 256.

inbound: Applies the ASPF policy to incoming packets.

outbound: Applies the ASPF policy to outgoing packets.

Usage guidelines

To inspect the traffic through an interface, you must apply a configured ASPF policy to that interface.

Make sure a connection initiation packet and the response packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.

You can apply an ASPF policy to both the inbound and outbound directions of an interface.

Examples

# Apply ASPF policy 1 to the outbound direction of GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] aspf apply policy 1 outbound

Related commands

aspf policy

display aspf all

display aspf interface

aspf policy

Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.

Use undo aspf policy to remove an ASPF policy.

Syntax

aspf policy aspf-policy-number

undo aspf policy aspf-policy-number

Default

No ASPF policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Assigns a number to the ASPF policy. The value range is 1 to 256.

Examples

# Create ASPF policy 1 and enter its view.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1]

Related commands

display aspf all

display aspf policy

detect

Use detect to configure ASPF inspection for an application layer protocol.

Use undo detect to restore the default.

Syntax

detect { ftp | gtp | h323 | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

undo detect { ftp |  gtp | h323 | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

Default

ASPF does not inspect application layer protocols. ASPF inspects only transport layer protocols.

Views

ASPF policy view

Predefined user roles

network-admin

Parameters

ftp: Specifies FTP, an application layer protocol.

gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.

h323: Specifies H.323 protocol stack, application layer protocols.

ils: Specifies Internet Locator Service (ILS), an application layer protocol.

mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.

nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.

pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.

rsh: Specifies Remote Shell (RSH), an application layer protocol.

rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.

sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.

sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.

sqlnet: Specifies SQLNET, an application layer protocol.

tftp: Specifies TFTP, an application layer protocol.

xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.

Usage guidelines

Use this command for multichannel protocols to ensure successful data connections. Application protocols supported by this command (except TFTP) are multichannel protocols.

Repeat the detect command to configure ASPF inspection for multiple application protocols.

ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.

This command configures ASPF inspection for application protocols. ASPF inspection only maintains connection status information, it does not support protocol status validity check.

Examples

# Configure ASPF inspection for FTP packets.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] detect ftp

Related commands

display aspf policy

display aspf all

Use display aspf all to display the configuration of all ASPF policies and their applications.

Syntax

display aspf all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of all ASPF policies and their applications.

<Sysname> display aspf all

ASPF policy configuration:

  Policy default:

    ICMP error message check: Disabled

    TCP SYN packet check: Disabled

    Inspected protocol

      FTP

  Policy number: 1

    ICMP error message check: Disabled

    TCP SYN packet check: Disabled

    Inspected protocol

      FTP

 

Interface configuration:

  GigabitEthernet1/0/1

    Inbound policy : 1

    Outbound policy: none

Table 1 Command output

Field

Description

Policy default

Predefined ASPF policy.

ICMP error message check

Whether ICMP error message check is enabled.

TCP SYN packet check

Whether TCP SYN check is enabled.

Inspected protocol

Protocols to be inspected by ASPF.

Interface configuration

Interfaces where ASPF policy is applied.

Inbound policy

Inbound ASPF policy number.

Outbound policy

Outbound ASPF policy number.

 

Related commands

aspf apply policy

aspf policy

display aspf policy

display aspf interface

Use display aspf interface to display ASPF policy application on interfaces.

Syntax

display aspf interface

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display ASPF policy application on interfaces.

<Sysname> display aspf interface

Interface configuration:

  GigabitEthernet1/0/1

    Inbound policy : 1

    Outbound policy: none

Table 2 Command output

Field

Description

Interface configuration

Interfaces where ASPF policy is applied.

Inbound policy

Inbound ASPF policy number.

Outbound policy

Outbound ASPF policy number.

 

Related commands

aspf apply policy

aspf policy

display aspf policy

Use display aspf policy to display the configuration of an ASPF policy.

Syntax

display aspf policy { aspf-policy-number | default }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

aspf-policy-number: Specifies the number of an ASPF policy. The value range is 1 to 256.

default: Specifies the predefined ASPF policy.

Examples

# Display the configuration of ASPF policy 1.

<Sysname> display aspf policy 1

ASPF policy configuration:

  Policy number: 1

    ICMP error message check: Disabled

    TCP SYN packet check: Enabled

    Inspected protocol

     FTP

     RSH

Table 3 Command output

Field

Description

ICMP error message check

Whether ICMP error message check is enabled.

TCP SYN packet check

Whether TCP SYN check is enabled.

Inspected protocol

Protocols to be inspected by ASPF.

 

Related commands

aspf policy

display aspf session

Use display aspf session to display ASPF sessions.

Syntax

display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Displays IPv4 ASPF sessions.

ipv6: Displays IPv6 ASPF sessions.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ASPF sessions for all member devices.

verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.

Examples

# Display brief information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/1

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/1

 

Total sessions found: 2

# Display detailed information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/1

Responder:

  Source      IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.18/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0/2

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36  TTL: 28s

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/1

Responder:

  Source      IP/port: 192.168.1.55/1792

  Destination IP/port: 192.168.1.18/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/2

State: ICMP_REQUEST

Application: OTHER

Start time: 2011-07-29 19:12:33  TTL: 55s

Initiator->Responder:         1 packets         6048 bytes

Responder->Initiator:         0 packets          0 bytes

 

Total sessions found: 2

Table 4 Command output

Field

Description

Initiator

Session information from initiator to responder.

Responder

Session information from responder to initiator.

Source IP/port

Source IP address and port number.

Destination IP/port

Destination IP address and port number.

DS-Lite tunnel peer

IP address of the DS-Lite tunnel peer.

If the session is not tunneled by DS-Lite, this field displays a hyphen (-).

VPN-instance/VLAN ID/Inline ID

·     VPN-instance—MPLS L3VPN instance where the session is initiated.

·     VLAN ID—VLAN to which the session belongs during Layer 2 forwarding.

·     Inline ID—Inline to which the session belongs during Layer 2 forwarding.

If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field.

Protocol

Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

Number in parentheses represents the protocol number.

State

Protocol status of the session.

Application

Application layer protocol, including FTP and DNS.

If it is an unknown protocol identified by an unknown port, this field displays OTHER.

Start time

Establishment time of the session.

TTL

Remaining lifetime of the session, in seconds.

Initiator->Responder

Number of packets and bytes from initiator to responder.

Responder->Initiator

Number of packets and bytes from responder to initiator.

 

Related commands

reset aspf session

icmp-error drop

Use icmp-error drop to enable ICMP error message check and drop faked messages.

Use undo icmp-error drop to disable ICMP error message check.

Syntax

icmp-error drop

undo icmp-error drop

Default

ICMP error message check is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

An ICMP error message carries information about the corresponding connection. ICMP error message check verifies the information. If the information does not match the connection, ASPF drops the message.

Examples

# Enable ICMP error message check for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] icmp-error drop

Related commands

aspf policy

display aspf policy

reset aspf session

Use reset aspf session to clear ASPF session statistics.

Syntax

reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Clears IPv4 ASPF session statistics.

ipv6: Clears IPv6 ASPF session statistics.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ASPF session statistics for all member devices.

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.

Examples

# Clear all ASPF session statistics.

<Sysname> reset aspf session

Related commands

display aspf session

tcp syn-check

Use tcp syn-check to enable TCP SYN check.

Use undo tcp syn-check to disable TCP SYN check.

Syntax

tcp syn-check

undo tcp syn-check

Default

TCP SYN check is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.

When a device attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the device allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.

Examples

# Enable TCP SYN check for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] tcp syn-check

Related commands

aspf policy