16-Security Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10416-Security Command Reference
04-ASPF commands
Title Size Download
04-ASPF commands 86.98 KB

ASPF commands

The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode.

The following compatibility matrixes show the support of hardware platforms for ASPF:

 

Hardware series

Model

Product code

ASPF compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

Yes

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

Yes

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

Yes

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes

Hardware series

Model

Product code

ASPF compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

Yes

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

Yes

WX5800H series

WX5860H

EWP-WX5860H-GL

Yes

aspf apply policy

Use aspf apply policy to apply an ASPF policy to an interface.

Use undo aspf apply policy to remove an ASPF policy application from an interface.

Syntax

aspf apply policy aspf-policy-number { inbound | outbound }

undo aspf apply policy aspf-policy-number { inbound | outbound }

Default

No ASPF policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Specifies an ASPF policy number. The value range for this argument is 1 to 256.

inbound: Applies the ASPF policy to incoming packets.

outbound: Applies the ASPF policy to outgoing packets.

Usage guidelines

To inspect the traffic through an interface, you must apply a configured ASPF policy to that interface.

Make sure a connection initiation packet and the response packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.

You can apply an ASPF policy to both the inbound and outbound directions of an interface.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply ASPF policy 1 to the outbound direction of VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] aspf apply policy 1 outbound

Related commands

aspf policy

display aspf all

display aspf interface

aspf policy

Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.

Use undo aspf policy to remove an ASPF policy.

Syntax

aspf policy aspf-policy-number

undo aspf policy aspf-policy-number

Default

No ASPF policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument is 1 to 256.

Examples

# Create ASPF policy 1 and enter its view.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1]

Related commands

display aspf all

display aspf policy

detect

Use detect to configure ASPF inspection for an application layer protocol.

Use undo detect to restore the default.

Syntax

detect { ftp | h323 | sccp | sip | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }

undo detect { ftp | gtp | h323 | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

Default

ASPF inspects only transport layer protocols and application protocol FTP.

Views

ASPF policy view

Predefined user roles

network-admin

Parameters

ftp: Specifies FTP, an application layer protocol.

gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.

h323: Specifies H.323 protocol stack, application layer protocols.

ils: Specifies Internet Locator Service (ILS), an application layer protocol.

mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.

nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.

pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.

rsh: Specifies Remote Shell (RSH), an application layer protocol.

rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.

sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.

sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.

sqlnet: Specifies SQLNET, an application layer protocol.

tftp: Specifies TFTP, an application layer protocol.

xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.

Usage guidelines

This command is required to ensure successful data connections for multichannel protocols.

Application protocols supported by this command (except TFTP) are multichannel protocols.

Repeat the detect command to configure ASPF inspection for multiple application protocols.

ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.

This command configures ASPF inspection for application protocols.

Examples

# Configure ASPF inspection for FTP packets.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] detect ftp

Related commands

display aspf policy

display aspf all

Use display aspf all to display the configuration of all ASPF policies and their applications.

Syntax

display aspf all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of all ASPF policies and their applications.

<Sysname> display aspf all

ASPF policy configuration:

  Policy default:

    ICMP error message check: Disabled

    Inspected protocol

      FTP

  Policy number: 1

    ICMP error message check: Disabled

    TCP SYN packet check: Disabled

    Inspected protocol

      FTP

 

Interface configuration:

  GigabitEthernet1/0/1

    Inbound policy : 1

    Outbound policy: none

Table 1 Command output

Field

Description

Policy default

Predefined ASPF policy.

ICMP error message check

Whether ICMP error message check is enabled.

TCP SYN packet check

Whether TCP SYN check is enabled.

Inspected protocol

Protocols to be inspected by ASPF.

Interface configuration

Interfaces where ASPF policy is applied.

Inbound policy

Inbound ASPF policy number.

Outbound policy

Outbound ASPF policy number.

 

Related commands

aspf apply policy

aspf policy

display aspf policy

display aspf interface

Use display aspf interface to display ASPF policy application on interfaces.

Syntax

display aspf interface

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display ASPF policy application on interfaces.

<Sysname> display aspf interface

Interface configuration:

  Vlan-interface 100

    Inbound policy : 1

    Outbound policy: none

Table 2 Command output

Field

Description

Interface configuration

Interfaces where ASPF policy is applied.

Inbound policy

Inbound ASPF policy number.

Outbound policy

Outbound ASPF policy number.

 

Related commands

aspf apply policy

aspf policy

display aspf policy

Use display aspf policy to display the configuration of an ASPF policy.

Syntax

display aspf policy { aspf-policy-number | default }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

aspf-policy-number: Specifies the number of an ASPF policy. The value range for this argument is 1 to 256.

default: Specifies the predefined ASPF policy.

Examples

# Display the configuration of ASPF policy 1.

<Sysname> display aspf policy 1

ASPF policy configuration:

  Policy number: 1

    ICMP error message check: Disabled

    TCP SYN packet check: Enabled

Table 3 Command output

Field

Description

ICMP error message check

Whether ICMP error message check is enabled.

TCP SYN packet check

Whether TCP SYN check is enabled.

Inspected protocol

Protocols to be inspected by ASPF.

 

Related commands

aspf policy

display aspf session

Use display aspf session to display ASPF sessions.

Syntax

In standalone mode:

display aspf session [ ipv4 | ipv6 ] [ verbose ]

In IRF mode:

display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Displays IPv4 ASPF sessions.

ipv6: Displays IPv6 ASPF sessions.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ASPF sessions for all member devices. (In IRF mode.)

verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.

Examples

# (In standalone mode.) Display brief information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface 100

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Vlan-interface 100

 

Total sessions found: 2

# (In IRF mode.) Display brief information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface 100

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Vlan-interface 100

Total sessions found: 2

# (In standalone mode.) Display detailed information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4 verbose

Initiator:

  Source       IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface 100

Responder:

  Source       IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.18/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface 101

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36  TTL: 28s

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Vlan-interface 100

Responder:

  Source      IP/port: 192.168.1.55/1792

  Destination IP/port: 192.168.1.18/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Vlan-interface 101

State: ICMP_REQUEST

Application: OTHER

Start time: 2011-07-29 19:12:33  TTL: 55s

Initiator->Responder:          1 packets         60 bytes

Responder->Initiator:          0 packets          0 bytes

 

Total sessions found: 2

# (In IRF mode.) Display detailed information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface 100

Responder:

  Source      IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.18/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Vlan-interface 101

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36  TTL: 28s

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Vlan-interface 100

Responder:

  Source      IP/port: 192.168.1.55/1792

  Destination IP/port: 192.168.1.18/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Vlan-interface 101

State: ICMP_REQUEST

Application: OTHER

Start time: 2011-07-29 19:12:33  TTL: 55s

Initiator->Responder:         1 packets         6048 bytes

Responder->Initiator:         0 packets          0 bytes

 

Total sessions found: 2

Table 4 Command output

Field

Description

Initiator

Session information from initiator to responder.

Responder

Session information from responder to initiator.

Source IP/port

Source IP address and port number.

Destination IP/port

Destination IP address and port number.

DS-Lite tunnel peer

IP address of the DS-Lite tunnel peer.

If the session is not tunneled by DS-Lite, this field displays a hyphen (-).

VPN-instance/VLAN ID/Inline ID

·     VPN-instance—MPLS L3VPN instance where the session is initiated. This field is not supported in the current software version.

·     VLAN ID—VLAN to which the session belongs during Layer 2 forwarding.

·     Inline ID—Inline to which the session belongs during Layer 2 forwarding.

If no MPLS L3VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field.

Protocol

Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

Number in parentheses represents the protocol number.

State

Protocol status of the session.

Application

Application layer protocol, including FTP.

If it is an unknown protocol identified by an unknown port, this field displays OTHER.

Start time

Establishment time of the session.

TTL

Remaining lifetime of the session, in seconds.

Initiator->Responder

Number of packets and bytes from initiator to responder.

Responder->Initiator

Number of packets and bytes from responder to initiator.

Related commands

reset aspf session

icmp-error drop

Use icmp-error drop to enable ICMP error message check and drop faked messages.

Use undo icmp-error drop to disable ICMP error message check.

Syntax

icmp-error drop

undo icmp-error drop

Default

ICMP error message check is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

An ICMP error message carries information about the corresponding connection. ICMP error message check verifies the information. If the information does not match the connection, ASPF drops the message.

Examples

# Enable ICMP error message check for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] icmp-error drop

Related commands

aspf policy

display aspf policy

reset aspf session

Use reset aspf session to clear ASPF session statistics.

Syntax

In standalone mode:

reset aspf session [ ipv4 | ipv6 ]

In IRF mode:

reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Clears IPv4 ASPF session statistics.

ipv6: Clears IPv6 ASPF session statistics.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ASPF session statistics for all member devices. (In IRF mode.)

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.

Examples

# Clear all ASPF session statistics.

<Sysname> reset aspf session

Related commands

display aspf session

tcp syn-check

Use tcp syn-check to enable TCP SYN check.

Use undo tcp syn-check to disable TCP SYN check.

Syntax

tcp syn-check

undo tcp syn-check

Default

TCP SYN check is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.

When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the router allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.

Examples

# Enable TCP SYN check for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] tcp syn-check

Related commands

aspf policy