Make sure a connection initiation packet and the response packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.

You can apply an ASPF policy to both the inbound and outbound directions of an interface.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply ASPF policy 1 to the outbound direction of GigabitEthernet 0/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] aspf apply policy 1 outbound

Related commands

aspf policy

display aspf all

display aspf interface

aspf policy

Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.

Use undo aspf policy to remove an ASPF policy.

Syntax

aspf policy aspf-policy-number

undo aspf policy aspf-policy-number

Default

No ASPF policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Assigns a number to the ASPF policy. The value range for the aspf-policy-number argument is 0 to 256.

Examples

# Create ASPF policy 1 and enter its view.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1]

Related commands

display aspf all

display aspf policy

detect

Use detect to configure ASPF inspection for an application layer protocol.

Use undo detect to restore the default.

Syntax

detect { dns [ action { drop | logging } * ] | { ftp | h323 | http | sccp | sip | smtp } [ action drop ] | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }

undo detect { dns | ftp | gtp | h323 | http | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | smtp | sqlnet | tftp | xdmcp }

Default

ASPF inspects only transport layer protocols and application protocol FTP.

Views

ASPF policy view

Predefined user roles

network-admin

Parameters

dns: Specifies DNS, an application layer protocol.

ftp: Specifies FTP, an application layer protocol.

gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.

h323: Specifies H.323 protocol stack, application layer protocols.

http: Specifies HTTP, an application layer protocol.

ils: Specifies Internet Locator Service (ILS), an application layer protocol.

mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.

nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.

pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.

rsh: Specifies Remote Shell (RSH), an application layer protocol.

rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.

sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.

sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.

smtp: Specifies SMTP, an application layer protocol.

sqlnet: Specifies SQLNET, an application layer protocol.

tftp: Specifies TFTP, an application layer protocol.

xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.

action: Specifies an action on the packets that do not pass the protocol status validity check. If you do not specify an action, ASPF does not perform the protocol status validity check, and it only maintains connection status information.

drop: Drops the packets that do not pass the protocol status validity check.

logging: Generates log messages for packets that do not pass the protocol status validity check.

Usage guidelines

This command is required to ensure successful data connections for multichannel protocols when either of the following conditions exists:

· The ALG feature is disabled in other service modules (such as NAT).

· Other service modules with the ALG feature (such as DPI) are not configured.

This command is optional for multichannel protocols if ALG is enabled in other service modules (such as NAT) or if other service modules with the ALG feature are configured.

Application protocols supported by this command (except HTTP, SMTP, and TFTP) are multichannel protocols.

Repeat the detect command to configure ASPF inspection for multiple application protocols.

ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.

This command configures ASPF inspection for application protocols. ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and SMTP. The device deals with packets with invalid protocol status according to the actions you have specified. To configure protocol status validity check for an application protocol, you must specify the action keyword.

Examples

# Configure ASPF inspection for FTP packets.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] detect ftp

# Configure ASPF inspection for DNS packets, drop packets that fail protocol status validity check and generate log messages for these packets.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] detect dns action drop logging

Related commands

display aspf policy

display aspf all

Use display aspf all to display the configuration of all ASPF policies and their applications.

Syntax

display aspf all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of all ASPF policies and their applications.

<Sysname> display aspf all

ASPF policy configuration:

Policy default:

ICMP error message check: Disabled

Inspected protocol Action

FTP None

Policy number: 1

ICMP error message check: Disabled

TCP SYN packet check: Disabled

Inspected protocol Action

FTP None

Interface configuration:

GigabitEthernet0/0/1

Inbound policy : 1

Outbound policy: none

Table 1 Command output

Field	Description
Policy default	Predefined ASPF policy.
ICMP error message check	Whether ICMP error message check is enabled.
TCP SYN packet check	Whether TCP SYN check is enabled.
Inspected protocol	Protocols to be inspected by ASPF.
Action	Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-).
Interface configuration	Interfaces where ASPF policy is applied.
Inbound policy	Inbound ASPF policy number.
Outbound policy	Outbound ASPF policy number.

Related commands

aspf apply policy

aspf policy

display aspf policy

display aspf interface

Use display aspf interface to display ASPF policy application on interfaces.

Syntax

display aspf interface

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display ASPF policy application on interfaces.

<Sysname> display aspf interface

Interface configuration:

GigabitEthernet0/0/1

Inbound policy : 1

Outbound policy: none

Table 2 Command output

Field	Description
Interface configuration	Interfaces where ASPF policy is applied.
Inbound policy	Inbound ASPF policy number.
Outbound policy	Outbound ASPF policy number.

Related commands

aspf apply policy

aspf policy

display aspf policy

Use display aspf policy to display the configuration of an ASPF policy.

Syntax

display aspf policy { aspf-policy-number | default }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

aspf-policy-number: Specifies the number of an ASPF policy. The value range for the aspf-policy-number argument is 0 to 256.

default: Specifies the predefined ASPF policy.

Examples

# Display the configuration of ASPF policy 1.

<Sysname> display aspf policy 1

ASPF policy configuration:

Policy number: 1

ICMP error message check: Disabled

TCP SYN packet check: Enabled

Inspected protocol Action

FTP Drop

HTTP None

RSH -

Table 3 Command output

Field	Description
ICMP error message check	Whether ICMP error message check is enabled.
TCP SYN packet check	Whether TCP SYN check is enabled.
Inspected protocol	Protocols to be inspected by ASPF.
Action	Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-).

Related commands

aspf policy

display aspf session

Use display aspf session to display ASPF sessions.

Syntax

display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Displays IPv4 ASPF sessions.

ipv6: Displays IPv6 ASPF sessions.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ASPF sessions on all cards.

verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.

Examples

# Display brief information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet0/0/1

Source security zone: SrcZone

Initiator:

Source IP/port: 192.168.1.18/1792

Destination IP/port: 192.168.1.55/2048

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet0/0/1

Source security zone: SrcZone

Total sessions found: 2

# Display detailed information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4 verbose

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet0/0/1

Source security zone: SrcZone

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.18/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet0/0/2

Source security zone: DestZone

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36 TTL: 28s

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Initiator:

Source IP/port: 192.168.1.18/1792

Destination IP/port: 192.168.1.55/2048

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet0/0/1

Source security zone: SrcZone

Responder:

Source IP/port: 192.168.1.55/1792

Destination IP/port: 192.168.1.18/0

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet0/0/2

Source security zone: DestZone

State: ICMP_REQUEST

Application: OTHER

Start time: 2011-07-29 19:12:33 TTL: 55s

Initiator->Responder: 1 packets 6048 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 2

Table 4 Command output

Field	Description
Initiator	Session information from initiator to responder.
Responder	Session information from responder to initiator.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	IP address of the DS-Lite tunnel peer. If the session is not tunneled by DS-Lite, this field displays a hyphen (-).
VPN-instance/VLAN ID/Inline ID	· VPN-instance—MPLS L3VPN instance where the session is initiated. · VLAN ID—VLAN to which the session belongs during Layer 2 forwarding. · Inline ID—Inline to which the session belongs during Layer 2 forwarding. If no MPLS L3VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field.
Protocol	Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite. Number in parentheses represents the protocol number.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
State	Protocol status of the session.
Application	Application layer protocol, including FTP and DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Start time	Establishment time of the session.
TTL	Remaining lifetime of the session, in seconds.
Initiator->Responder	Number of packets and bytes from initiator to responder.
Responder->Initiator	Number of packets and bytes from responder to initiator.

Related commands

reset aspf session

icmp-error drop

Use icmp-error drop to enable ICMP error message dropping.

Use undo icmp-error drop to disable ICMP error message dropping.

Syntax

icmp-error drop

undo icmp-error drop

Default

ICMP error message dropping is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

An ICMP error message carries information about the corresponding connection. ICMP error message dropping verifies the information. If the information does not match the connection, ASPF drops the message.

Examples

# Enable ICMP error message dropping for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] icmp-error drop

Related commands

aspf policy

display aspf policy

reset aspf session

Use reset aspf session to clear ASPF session statistics.

Syntax

reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Clears IPv4 ASPF session statistics.

ipv6: Clears IPv6 ASPF session statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears ASPF session statistics for all cards.

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.

Examples

# Clear all ASPF session statistics.

<Sysname> reset aspf session

Related commands

display aspf session

tcp syn-check

Use tcp syn-check to enable TCP SYN check.

Use undo tcp syn-check to disable TCP SYN check.

Syntax

tcp syn-check

undo tcp syn-check

Default

TCP SYN check is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.

When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the router allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.

Examples

# Enable TCP SYN check for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] tcp syn-check

Related commands

aspf policy

19-Security Command Reference

ASPF commands

aspf apply policy

aspf policy

detect

display aspf all

display aspf interface

display aspf policy

display aspf session

icmp-error drop

reset aspf session

tcp syn-check

Cloud & AI

InterConnect

Intelligent Computing

Security

SMB Products

Intelligent Terminal Products

Industry Solutions

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Training & Certification

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Online Exhibition Center

Contact Us